1 /*
2 * WPA/RSN - Shared functions for supplicant and authenticator
3 * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/sha384.h"
16 #include "crypto/sha512.h"
17 #include "crypto/aes_wrap.h"
18 #include "crypto/crypto.h"
19 #include "ieee802_11_defs.h"
20 #include "ieee802_11_common.h"
21 #include "defs.h"
22 #include "wpa_common.h"
23
24
wpa_kck_len(int akmp,size_t pmk_len)25 static unsigned int wpa_kck_len(int akmp, size_t pmk_len)
26 {
27 switch (akmp) {
28 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
29 case WPA_KEY_MGMT_IEEE8021X_SHA384:
30 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
31 return 24;
32 case WPA_KEY_MGMT_FILS_SHA256:
33 case WPA_KEY_MGMT_FT_FILS_SHA256:
34 case WPA_KEY_MGMT_FILS_SHA384:
35 case WPA_KEY_MGMT_FT_FILS_SHA384:
36 return 0;
37 case WPA_KEY_MGMT_DPP:
38 return pmk_len / 2;
39 case WPA_KEY_MGMT_OWE:
40 return pmk_len / 2;
41 case WPA_KEY_MGMT_SAE_EXT_KEY:
42 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
43 return pmk_len / 2;
44 default:
45 return 16;
46 }
47 }
48
49
50 #ifdef CONFIG_IEEE80211R
wpa_kck2_len(int akmp)51 static unsigned int wpa_kck2_len(int akmp)
52 {
53 switch (akmp) {
54 case WPA_KEY_MGMT_FT_FILS_SHA256:
55 return 16;
56 case WPA_KEY_MGMT_FT_FILS_SHA384:
57 return 24;
58 default:
59 return 0;
60 }
61 }
62 #endif /* CONFIG_IEEE80211R */
63
64
wpa_kek_len(int akmp,size_t pmk_len)65 static unsigned int wpa_kek_len(int akmp, size_t pmk_len)
66 {
67 switch (akmp) {
68 case WPA_KEY_MGMT_FILS_SHA384:
69 case WPA_KEY_MGMT_FT_FILS_SHA384:
70 return 64;
71 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
72 case WPA_KEY_MGMT_FILS_SHA256:
73 case WPA_KEY_MGMT_FT_FILS_SHA256:
74 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
75 case WPA_KEY_MGMT_IEEE8021X_SHA384:
76 return 32;
77 case WPA_KEY_MGMT_DPP:
78 return pmk_len <= 32 ? 16 : 32;
79 case WPA_KEY_MGMT_OWE:
80 return pmk_len <= 32 ? 16 : 32;
81 case WPA_KEY_MGMT_SAE_EXT_KEY:
82 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
83 return pmk_len <= 32 ? 16 : 32;
84 default:
85 return 16;
86 }
87 }
88
89
90 #ifdef CONFIG_IEEE80211R
wpa_kek2_len(int akmp)91 static unsigned int wpa_kek2_len(int akmp)
92 {
93 switch (akmp) {
94 case WPA_KEY_MGMT_FT_FILS_SHA256:
95 return 16;
96 case WPA_KEY_MGMT_FT_FILS_SHA384:
97 return 32;
98 default:
99 return 0;
100 }
101 }
102 #endif /* CONFIG_IEEE80211R */
103
104
wpa_mic_len(int akmp,size_t pmk_len)105 unsigned int wpa_mic_len(int akmp, size_t pmk_len)
106 {
107 switch (akmp) {
108 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
109 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
110 case WPA_KEY_MGMT_IEEE8021X_SHA384:
111 return 24;
112 case WPA_KEY_MGMT_FILS_SHA256:
113 case WPA_KEY_MGMT_FILS_SHA384:
114 case WPA_KEY_MGMT_FT_FILS_SHA256:
115 case WPA_KEY_MGMT_FT_FILS_SHA384:
116 return 0;
117 case WPA_KEY_MGMT_DPP:
118 return pmk_len / 2;
119 case WPA_KEY_MGMT_OWE:
120 return pmk_len / 2;
121 case WPA_KEY_MGMT_SAE_EXT_KEY:
122 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
123 return pmk_len / 2;
124 default:
125 return 16;
126 }
127 }
128
129
130 /**
131 * wpa_use_akm_defined - Is AKM-defined Key Descriptor Version used
132 * @akmp: WPA_KEY_MGMT_* used in key derivation
133 * Returns: 1 if AKM-defined Key Descriptor Version is used; 0 otherwise
134 */
wpa_use_akm_defined(int akmp)135 int wpa_use_akm_defined(int akmp)
136 {
137 return akmp == WPA_KEY_MGMT_OWE ||
138 akmp == WPA_KEY_MGMT_DPP ||
139 akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 ||
140 akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 ||
141 wpa_key_mgmt_sae(akmp) ||
142 wpa_key_mgmt_suite_b(akmp) ||
143 wpa_key_mgmt_fils(akmp);
144 }
145
146
147 /**
148 * wpa_use_cmac - Is CMAC integrity algorithm used for EAPOL-Key MIC
149 * @akmp: WPA_KEY_MGMT_* used in key derivation
150 * Returns: 1 if CMAC is used; 0 otherwise
151 */
wpa_use_cmac(int akmp)152 int wpa_use_cmac(int akmp)
153 {
154 return akmp == WPA_KEY_MGMT_OWE ||
155 akmp == WPA_KEY_MGMT_DPP ||
156 wpa_key_mgmt_ft(akmp) ||
157 wpa_key_mgmt_sha256(akmp) ||
158 (wpa_key_mgmt_sae(akmp) &&
159 !wpa_key_mgmt_sae_ext_key(akmp)) ||
160 wpa_key_mgmt_suite_b(akmp);
161 }
162
163
164 /**
165 * wpa_use_aes_key_wrap - Is AES Keywrap algorithm used for EAPOL-Key Key Data
166 * @akmp: WPA_KEY_MGMT_* used in key derivation
167 * Returns: 1 if AES Keywrap is used; 0 otherwise
168 *
169 * Note: AKM 00-0F-AC:1 and 00-0F-AC:2 have special rules for selecting whether
170 * to use AES Keywrap based on the negotiated pairwise cipher. This function
171 * does not cover those special cases.
172 */
wpa_use_aes_key_wrap(int akmp)173 int wpa_use_aes_key_wrap(int akmp)
174 {
175 return akmp == WPA_KEY_MGMT_OWE ||
176 akmp == WPA_KEY_MGMT_DPP ||
177 akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 ||
178 wpa_key_mgmt_ft(akmp) ||
179 wpa_key_mgmt_sha256(akmp) ||
180 wpa_key_mgmt_sae(akmp) ||
181 wpa_key_mgmt_suite_b(akmp);
182 }
183
184
185 /**
186 * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
187 * @key: EAPOL-Key Key Confirmation Key (KCK)
188 * @key_len: KCK length in octets
189 * @akmp: WPA_KEY_MGMT_* used in key derivation
190 * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
191 * @buf: Pointer to the beginning of the EAPOL header (version field)
192 * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
193 * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
194 * Returns: 0 on success, -1 on failure
195 *
196 * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
197 * to be cleared (all zeroes) when calling this function.
198 *
199 * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
200 * description of the Key MIC calculation. It includes packet data from the
201 * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
202 * happened during final editing of the standard and the correct behavior is
203 * defined in the last draft (IEEE 802.11i/D10).
204 */
wpa_eapol_key_mic(const u8 * key,size_t key_len,int akmp,int ver,const u8 * buf,size_t len,u8 * mic)205 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
206 const u8 *buf, size_t len, u8 *mic)
207 {
208 u8 hash[SHA512_MAC_LEN];
209
210 if (key_len == 0) {
211 wpa_printf(MSG_DEBUG,
212 "WPA: KCK not set - cannot calculate MIC");
213 return -1;
214 }
215
216 switch (ver) {
217 #ifndef CONFIG_FIPS
218 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
219 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-MD5");
220 return hmac_md5(key, key_len, buf, len, mic);
221 #endif /* CONFIG_FIPS */
222 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
223 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-SHA1");
224 if (hmac_sha1(key, key_len, buf, len, hash))
225 return -1;
226 os_memcpy(mic, hash, MD5_MAC_LEN);
227 break;
228 case WPA_KEY_INFO_TYPE_AES_128_CMAC:
229 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using AES-CMAC");
230 return omac1_aes_128(key, buf, len, mic);
231 case WPA_KEY_INFO_TYPE_AKM_DEFINED:
232 switch (akmp) {
233 #ifdef CONFIG_SAE
234 case WPA_KEY_MGMT_SAE:
235 case WPA_KEY_MGMT_FT_SAE:
236 wpa_printf(MSG_DEBUG,
237 "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - SAE)");
238 return omac1_aes_128(key, buf, len, mic);
239 case WPA_KEY_MGMT_SAE_EXT_KEY:
240 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
241 wpa_printf(MSG_DEBUG,
242 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - SAE-EXT-KEY)",
243 (unsigned int) key_len * 8 * 2);
244 if (key_len == 128 / 8) {
245 if (hmac_sha256(key, key_len, buf, len, hash))
246 return -1;
247 #ifdef CONFIG_SHA384
248 } else if (key_len == 192 / 8) {
249 if (hmac_sha384(key, key_len, buf, len, hash))
250 return -1;
251 #endif /* CONFIG_SHA384 */
252 #ifdef CONFIG_SHA512
253 } else if (key_len == 256 / 8) {
254 if (hmac_sha512(key, key_len, buf, len, hash))
255 return -1;
256 #endif /* CONFIG_SHA512 */
257 } else {
258 wpa_printf(MSG_INFO,
259 "SAE: Unsupported KCK length: %u",
260 (unsigned int) key_len);
261 return -1;
262 }
263 os_memcpy(mic, hash, key_len);
264 break;
265 #endif /* CONFIG_SAE */
266 #ifdef CONFIG_SUITEB
267 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
268 wpa_printf(MSG_DEBUG,
269 "WPA: EAPOL-Key MIC using HMAC-SHA256 (AKM-defined - Suite B)");
270 if (hmac_sha256(key, key_len, buf, len, hash))
271 return -1;
272 os_memcpy(mic, hash, MD5_MAC_LEN);
273 break;
274 #endif /* CONFIG_SUITEB */
275 #ifdef CONFIG_SUITEB192
276 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
277 wpa_printf(MSG_DEBUG,
278 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - Suite B 192-bit)");
279 if (hmac_sha384(key, key_len, buf, len, hash))
280 return -1;
281 os_memcpy(mic, hash, 24);
282 break;
283 #endif /* CONFIG_SUITEB192 */
284 #ifdef CONFIG_OWE
285 case WPA_KEY_MGMT_OWE:
286 wpa_printf(MSG_DEBUG,
287 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - OWE)",
288 (unsigned int) key_len * 8 * 2);
289 if (key_len == 128 / 8) {
290 if (hmac_sha256(key, key_len, buf, len, hash))
291 return -1;
292 } else if (key_len == 192 / 8) {
293 if (hmac_sha384(key, key_len, buf, len, hash))
294 return -1;
295 } else if (key_len == 256 / 8) {
296 if (hmac_sha512(key, key_len, buf, len, hash))
297 return -1;
298 } else {
299 wpa_printf(MSG_INFO,
300 "OWE: Unsupported KCK length: %u",
301 (unsigned int) key_len);
302 return -1;
303 }
304 os_memcpy(mic, hash, key_len);
305 break;
306 #endif /* CONFIG_OWE */
307 #ifdef CONFIG_DPP
308 case WPA_KEY_MGMT_DPP:
309 wpa_printf(MSG_DEBUG,
310 "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - DPP)",
311 (unsigned int) key_len * 8 * 2);
312 if (key_len == 128 / 8) {
313 if (hmac_sha256(key, key_len, buf, len, hash))
314 return -1;
315 } else if (key_len == 192 / 8) {
316 if (hmac_sha384(key, key_len, buf, len, hash))
317 return -1;
318 } else if (key_len == 256 / 8) {
319 if (hmac_sha512(key, key_len, buf, len, hash))
320 return -1;
321 } else {
322 wpa_printf(MSG_INFO,
323 "DPP: Unsupported KCK length: %u",
324 (unsigned int) key_len);
325 return -1;
326 }
327 os_memcpy(mic, hash, key_len);
328 break;
329 #endif /* CONFIG_DPP */
330 #ifdef CONFIG_SHA384
331 case WPA_KEY_MGMT_IEEE8021X_SHA384:
332 #ifdef CONFIG_IEEE80211R
333 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
334 #endif /* CONFIG_IEEE80211R */
335 wpa_printf(MSG_DEBUG,
336 "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - 802.1X SHA384)");
337 if (hmac_sha384(key, key_len, buf, len, hash))
338 return -1;
339 os_memcpy(mic, hash, 24);
340 break;
341 #endif /* CONFIG_SHA384 */
342 default:
343 wpa_printf(MSG_DEBUG,
344 "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)",
345 akmp);
346 return -1;
347 }
348 break;
349 default:
350 wpa_printf(MSG_DEBUG,
351 "WPA: EAPOL-Key MIC algorithm not known (ver=%d)",
352 ver);
353 return -1;
354 }
355
356 return 0;
357 }
358
359
360 /**
361 * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
362 * @pmk: Pairwise master key
363 * @pmk_len: Length of PMK
364 * @label: Label to use in derivation
365 * @addr1: AA or SA
366 * @addr2: SA or AA
367 * @nonce1: ANonce or SNonce
368 * @nonce2: SNonce or ANonce
369 * @ptk: Buffer for pairwise transient key
370 * @akmp: Negotiated AKM
371 * @cipher: Negotiated pairwise cipher
372 * @kdk_len: The length in octets that should be derived for KDK
373 * Returns: 0 on success, -1 on failure
374 *
375 * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
376 * PTK = PRF-X(PMK, "Pairwise key expansion",
377 * Min(AA, SA) || Max(AA, SA) ||
378 * Min(ANonce, SNonce) || Max(ANonce, SNonce)
379 * [ || Z.x ])
380 *
381 * The optional Z.x component is used only with DPP and that part is not defined
382 * in IEEE 802.11.
383 */
wpa_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const char * label,const u8 * addr1,const u8 * addr2,const u8 * nonce1,const u8 * nonce2,struct wpa_ptk * ptk,int akmp,int cipher,const u8 * z,size_t z_len,size_t kdk_len)384 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
385 const u8 *addr1, const u8 *addr2,
386 const u8 *nonce1, const u8 *nonce2,
387 struct wpa_ptk *ptk, int akmp, int cipher,
388 const u8 *z, size_t z_len, size_t kdk_len)
389 {
390 #define MAX_Z_LEN 66 /* with NIST P-521 */
391 u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN + MAX_Z_LEN];
392 size_t data_len = 2 * ETH_ALEN + 2 * WPA_NONCE_LEN;
393 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
394 WPA_KDK_MAX_LEN];
395 size_t ptk_len;
396 #ifdef CONFIG_OWE
397 int owe_ptk_workaround = 0;
398
399 if (akmp == (WPA_KEY_MGMT_OWE | WPA_KEY_MGMT_PSK_SHA256)) {
400 owe_ptk_workaround = 1;
401 akmp = WPA_KEY_MGMT_OWE;
402 }
403 #endif /* CONFIG_OWE */
404
405 if (pmk_len == 0) {
406 wpa_printf(MSG_ERROR, "WPA: No PMK set for PTK derivation");
407 return -1;
408 }
409
410 if (z_len > MAX_Z_LEN)
411 return -1;
412
413 if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
414 os_memcpy(data, addr1, ETH_ALEN);
415 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
416 } else {
417 os_memcpy(data, addr2, ETH_ALEN);
418 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
419 }
420
421 if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
422 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
423 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
424 WPA_NONCE_LEN);
425 } else {
426 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
427 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
428 WPA_NONCE_LEN);
429 }
430
431 if (z && z_len) {
432 os_memcpy(data + 2 * ETH_ALEN + 2 * WPA_NONCE_LEN, z, z_len);
433 data_len += z_len;
434 }
435
436 if (kdk_len > WPA_KDK_MAX_LEN) {
437 wpa_printf(MSG_ERROR,
438 "WPA: KDK len=%zu exceeds max supported len",
439 kdk_len);
440 return -1;
441 }
442
443 ptk->kck_len = wpa_kck_len(akmp, pmk_len);
444 ptk->kek_len = wpa_kek_len(akmp, pmk_len);
445 ptk->tk_len = wpa_cipher_key_len(cipher);
446 ptk->kdk_len = kdk_len;
447 if (ptk->tk_len == 0) {
448 wpa_printf(MSG_ERROR,
449 "WPA: Unsupported cipher (0x%x) used in PTK derivation",
450 cipher);
451 return -1;
452 }
453 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + ptk->kdk_len;
454
455 if (wpa_key_mgmt_sha384(akmp)) {
456 #ifdef CONFIG_SHA384
457 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
458 if (sha384_prf(pmk, pmk_len, label, data, data_len,
459 tmp, ptk_len) < 0)
460 return -1;
461 #else /* CONFIG_SHA384 */
462 return -1;
463 #endif /* CONFIG_SHA384 */
464 } else if (wpa_key_mgmt_sha256(akmp)) {
465 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
466 if (sha256_prf(pmk, pmk_len, label, data, data_len,
467 tmp, ptk_len) < 0)
468 return -1;
469 #ifdef CONFIG_OWE
470 } else if (akmp == WPA_KEY_MGMT_OWE && (pmk_len == 32 ||
471 owe_ptk_workaround)) {
472 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
473 if (sha256_prf(pmk, pmk_len, label, data, data_len,
474 tmp, ptk_len) < 0)
475 return -1;
476 } else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 48) {
477 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
478 if (sha384_prf(pmk, pmk_len, label, data, data_len,
479 tmp, ptk_len) < 0)
480 return -1;
481 } else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 64) {
482 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
483 if (sha512_prf(pmk, pmk_len, label, data, data_len,
484 tmp, ptk_len) < 0)
485 return -1;
486 } else if (akmp == WPA_KEY_MGMT_OWE) {
487 wpa_printf(MSG_INFO, "OWE: Unknown PMK length %u",
488 (unsigned int) pmk_len);
489 return -1;
490 #endif /* CONFIG_OWE */
491 #ifdef CONFIG_DPP
492 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 32) {
493 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
494 if (sha256_prf(pmk, pmk_len, label, data, data_len,
495 tmp, ptk_len) < 0)
496 return -1;
497 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 48) {
498 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
499 if (sha384_prf(pmk, pmk_len, label, data, data_len,
500 tmp, ptk_len) < 0)
501 return -1;
502 } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 64) {
503 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
504 if (sha512_prf(pmk, pmk_len, label, data, data_len,
505 tmp, ptk_len) < 0)
506 return -1;
507 } else if (akmp == WPA_KEY_MGMT_DPP) {
508 wpa_printf(MSG_INFO, "DPP: Unknown PMK length %u",
509 (unsigned int) pmk_len);
510 return -1;
511 #endif /* CONFIG_DPP */
512 #ifdef CONFIG_SAE
513 } else if (wpa_key_mgmt_sae_ext_key(akmp)) {
514 if (pmk_len == 32) {
515 wpa_printf(MSG_DEBUG,
516 "SAE: PTK derivation using PRF(SHA256)");
517 if (sha256_prf(pmk, pmk_len, label, data, data_len,
518 tmp, ptk_len) < 0)
519 return -1;
520 #ifdef CONFIG_SHA384
521 } else if (pmk_len == 48) {
522 wpa_printf(MSG_DEBUG,
523 "SAE: PTK derivation using PRF(SHA384)");
524 if (sha384_prf(pmk, pmk_len, label, data, data_len,
525 tmp, ptk_len) < 0)
526 return -1;
527 #endif /* CONFIG_SHA384 */
528 #ifdef CONFIG_SHA512
529 } else if (pmk_len == 64) {
530 wpa_printf(MSG_DEBUG,
531 "SAE: PTK derivation using PRF(SHA512)");
532 if (sha512_prf(pmk, pmk_len, label, data, data_len,
533 tmp, ptk_len) < 0)
534 return -1;
535 #endif /* CONFIG_SHA512 */
536 } else {
537 wpa_printf(MSG_INFO, "SAE: Unknown PMK length %u",
538 (unsigned int) pmk_len);
539 return -1;
540 }
541 #endif /* CONFIG_SAE */
542 } else {
543 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA1)");
544 if (sha1_prf(pmk, pmk_len, label, data, data_len, tmp,
545 ptk_len) < 0)
546 return -1;
547 }
548
549 wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
550 MAC2STR(addr1), MAC2STR(addr2));
551 wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
552 wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
553 if (z && z_len)
554 wpa_hexdump_key(MSG_DEBUG, "WPA: Z.x", z, z_len);
555 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
556 wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len);
557
558 os_memcpy(ptk->kck, tmp, ptk->kck_len);
559 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len);
560
561 os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
562 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
563
564 os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
565 wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len);
566
567 if (kdk_len) {
568 os_memcpy(ptk->kdk, tmp + ptk->kck_len + ptk->kek_len +
569 ptk->tk_len, ptk->kdk_len);
570 wpa_hexdump_key(MSG_DEBUG, "WPA: KDK", ptk->kdk, ptk->kdk_len);
571 }
572
573 ptk->kek2_len = 0;
574 ptk->kck2_len = 0;
575
576 ptk->ptk_len = ptk_len;
577 os_memset(tmp, 0, sizeof(tmp));
578 os_memset(data, 0, data_len);
579 return 0;
580 }
581
582 #ifdef CONFIG_FILS
583
fils_rmsk_to_pmk(int akmp,const u8 * rmsk,size_t rmsk_len,const u8 * snonce,const u8 * anonce,const u8 * dh_ss,size_t dh_ss_len,u8 * pmk,size_t * pmk_len)584 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len,
585 const u8 *snonce, const u8 *anonce, const u8 *dh_ss,
586 size_t dh_ss_len, u8 *pmk, size_t *pmk_len)
587 {
588 u8 nonces[2 * FILS_NONCE_LEN];
589 const u8 *addr[2];
590 size_t len[2];
591 size_t num_elem;
592 int res;
593
594 /* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */
595 wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation");
596
597 if (wpa_key_mgmt_sha384(akmp))
598 *pmk_len = SHA384_MAC_LEN;
599 else if (wpa_key_mgmt_sha256(akmp))
600 *pmk_len = SHA256_MAC_LEN;
601 else
602 return -1;
603
604 wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len);
605 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
606 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
607 wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len);
608
609 os_memcpy(nonces, snonce, FILS_NONCE_LEN);
610 os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN);
611 addr[0] = rmsk;
612 len[0] = rmsk_len;
613 num_elem = 1;
614 if (dh_ss) {
615 addr[1] = dh_ss;
616 len[1] = dh_ss_len;
617 num_elem++;
618 }
619 if (wpa_key_mgmt_sha384(akmp))
620 res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
621 addr, len, pmk);
622 else
623 res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
624 addr, len, pmk);
625 if (res == 0)
626 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len);
627 else
628 *pmk_len = 0;
629 return res;
630 }
631
632
fils_pmkid_erp(int akmp,const u8 * reauth,size_t reauth_len,u8 * pmkid)633 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len,
634 u8 *pmkid)
635 {
636 const u8 *addr[1];
637 size_t len[1];
638 u8 hash[SHA384_MAC_LEN];
639 int res;
640
641 /* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */
642 addr[0] = reauth;
643 len[0] = reauth_len;
644 if (wpa_key_mgmt_sha384(akmp))
645 res = sha384_vector(1, addr, len, hash);
646 else if (wpa_key_mgmt_sha256(akmp))
647 res = sha256_vector(1, addr, len, hash);
648 else
649 return -1;
650 if (res)
651 return res;
652 os_memcpy(pmkid, hash, PMKID_LEN);
653 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
654 return 0;
655 }
656
657
fils_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * aa,const u8 * snonce,const u8 * anonce,const u8 * dhss,size_t dhss_len,struct wpa_ptk * ptk,u8 * ick,size_t * ick_len,int akmp,int cipher,u8 * fils_ft,size_t * fils_ft_len,size_t kdk_len)658 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa,
659 const u8 *snonce, const u8 *anonce, const u8 *dhss,
660 size_t dhss_len, struct wpa_ptk *ptk,
661 u8 *ick, size_t *ick_len, int akmp, int cipher,
662 u8 *fils_ft, size_t *fils_ft_len, size_t kdk_len)
663 {
664 u8 *data, *pos;
665 size_t data_len;
666 u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
667 FILS_FT_MAX_LEN + WPA_KDK_MAX_LEN];
668 size_t key_data_len;
669 const char *label = "FILS PTK Derivation";
670 int ret = -1;
671 size_t offset;
672
673 /*
674 * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation",
675 * SPA || AA || SNonce || ANonce [ || DHss ])
676 * ICK = L(FILS-Key-Data, 0, ICK_bits)
677 * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits)
678 * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits)
679 * If doing FT initial mobility domain association:
680 * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits,
681 * FILS-FT_bits)
682 * When a KDK is derived:
683 * KDK = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits + FILS-FT_bits,
684 * KDK_bits)
685 */
686 data_len = 2 * ETH_ALEN + 2 * FILS_NONCE_LEN + dhss_len;
687 data = os_malloc(data_len);
688 if (!data)
689 goto err;
690 pos = data;
691 os_memcpy(pos, spa, ETH_ALEN);
692 pos += ETH_ALEN;
693 os_memcpy(pos, aa, ETH_ALEN);
694 pos += ETH_ALEN;
695 os_memcpy(pos, snonce, FILS_NONCE_LEN);
696 pos += FILS_NONCE_LEN;
697 os_memcpy(pos, anonce, FILS_NONCE_LEN);
698 pos += FILS_NONCE_LEN;
699 if (dhss)
700 os_memcpy(pos, dhss, dhss_len);
701
702 ptk->kck_len = 0;
703 ptk->kek_len = wpa_kek_len(akmp, pmk_len);
704 ptk->tk_len = wpa_cipher_key_len(cipher);
705 if (wpa_key_mgmt_sha384(akmp))
706 *ick_len = 48;
707 else if (wpa_key_mgmt_sha256(akmp))
708 *ick_len = 32;
709 else
710 goto err;
711 key_data_len = *ick_len + ptk->kek_len + ptk->tk_len;
712
713 if (kdk_len) {
714 if (kdk_len > WPA_KDK_MAX_LEN) {
715 wpa_printf(MSG_ERROR, "FILS: KDK len=%zu too big",
716 kdk_len);
717 goto err;
718 }
719
720 ptk->kdk_len = kdk_len;
721 key_data_len += kdk_len;
722 } else {
723 ptk->kdk_len = 0;
724 }
725
726 if (fils_ft && fils_ft_len) {
727 if (akmp == WPA_KEY_MGMT_FT_FILS_SHA256) {
728 *fils_ft_len = 32;
729 } else if (akmp == WPA_KEY_MGMT_FT_FILS_SHA384) {
730 *fils_ft_len = 48;
731 } else {
732 *fils_ft_len = 0;
733 fils_ft = NULL;
734 }
735 key_data_len += *fils_ft_len;
736 }
737
738 if (wpa_key_mgmt_sha384(akmp)) {
739 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA384)");
740 if (sha384_prf(pmk, pmk_len, label, data, data_len,
741 tmp, key_data_len) < 0)
742 goto err;
743 } else {
744 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA256)");
745 if (sha256_prf(pmk, pmk_len, label, data, data_len,
746 tmp, key_data_len) < 0)
747 goto err;
748 }
749
750 wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR
751 " AA=" MACSTR, MAC2STR(spa), MAC2STR(aa));
752 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
753 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
754 if (dhss)
755 wpa_hexdump_key(MSG_DEBUG, "FILS: DHss", dhss, dhss_len);
756 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len);
757 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len);
758
759 os_memcpy(ick, tmp, *ick_len);
760 offset = *ick_len;
761 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len);
762
763 os_memcpy(ptk->kek, tmp + offset, ptk->kek_len);
764 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len);
765 offset += ptk->kek_len;
766
767 os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
768 wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len);
769 offset += ptk->tk_len;
770
771 if (fils_ft && fils_ft_len) {
772 os_memcpy(fils_ft, tmp + offset, *fils_ft_len);
773 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-FT",
774 fils_ft, *fils_ft_len);
775 offset += *fils_ft_len;
776 }
777
778 if (ptk->kdk_len) {
779 os_memcpy(ptk->kdk, tmp + offset, ptk->kdk_len);
780 wpa_hexdump_key(MSG_DEBUG, "FILS: KDK", ptk->kdk, ptk->kdk_len);
781 }
782
783 ptk->kek2_len = 0;
784 ptk->kck2_len = 0;
785
786 os_memset(tmp, 0, sizeof(tmp));
787 ret = 0;
788 err:
789 bin_clear_free(data, data_len);
790 return ret;
791 }
792
793
fils_key_auth_sk(const u8 * ick,size_t ick_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * g_sta,size_t g_sta_len,const u8 * g_ap,size_t g_ap_len,int akmp,u8 * key_auth_sta,u8 * key_auth_ap,size_t * key_auth_len)794 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce,
795 const u8 *anonce, const u8 *sta_addr, const u8 *bssid,
796 const u8 *g_sta, size_t g_sta_len,
797 const u8 *g_ap, size_t g_ap_len,
798 int akmp, u8 *key_auth_sta, u8 *key_auth_ap,
799 size_t *key_auth_len)
800 {
801 const u8 *addr[6];
802 size_t len[6];
803 size_t num_elem = 4;
804 int res;
805
806 wpa_printf(MSG_DEBUG, "FILS: Key-Auth derivation: STA-MAC=" MACSTR
807 " AP-BSSID=" MACSTR, MAC2STR(sta_addr), MAC2STR(bssid));
808 wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, ick_len);
809 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
810 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
811 wpa_hexdump(MSG_DEBUG, "FILS: gSTA", g_sta, g_sta_len);
812 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
813
814 /*
815 * For (Re)Association Request frame (STA->AP):
816 * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID
817 * [ || gSTA || gAP ])
818 */
819 addr[0] = snonce;
820 len[0] = FILS_NONCE_LEN;
821 addr[1] = anonce;
822 len[1] = FILS_NONCE_LEN;
823 addr[2] = sta_addr;
824 len[2] = ETH_ALEN;
825 addr[3] = bssid;
826 len[3] = ETH_ALEN;
827 if (g_sta && g_sta_len && g_ap && g_ap_len) {
828 addr[4] = g_sta;
829 len[4] = g_sta_len;
830 addr[5] = g_ap;
831 len[5] = g_ap_len;
832 num_elem = 6;
833 }
834
835 if (wpa_key_mgmt_sha384(akmp)) {
836 *key_auth_len = 48;
837 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
838 key_auth_sta);
839 } else if (wpa_key_mgmt_sha256(akmp)) {
840 *key_auth_len = 32;
841 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
842 key_auth_sta);
843 } else {
844 return -1;
845 }
846 if (res < 0)
847 return res;
848
849 /*
850 * For (Re)Association Response frame (AP->STA):
851 * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC
852 * [ || gAP || gSTA ])
853 */
854 addr[0] = anonce;
855 addr[1] = snonce;
856 addr[2] = bssid;
857 addr[3] = sta_addr;
858 if (g_sta && g_sta_len && g_ap && g_ap_len) {
859 addr[4] = g_ap;
860 len[4] = g_ap_len;
861 addr[5] = g_sta;
862 len[5] = g_sta_len;
863 }
864
865 if (wpa_key_mgmt_sha384(akmp))
866 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
867 key_auth_ap);
868 else if (wpa_key_mgmt_sha256(akmp))
869 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
870 key_auth_ap);
871 if (res < 0)
872 return res;
873
874 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)",
875 key_auth_sta, *key_auth_len);
876 wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)",
877 key_auth_ap, *key_auth_len);
878
879 return 0;
880 }
881
882 #endif /* CONFIG_FILS */
883
884
885 #ifdef CONFIG_IEEE80211R
wpa_ft_mic(int key_mgmt,const u8 * kck,size_t kck_len,const u8 * sta_addr,const u8 * ap_addr,u8 transaction_seqnum,const u8 * mdie,size_t mdie_len,const u8 * ftie,size_t ftie_len,const u8 * rsnie,size_t rsnie_len,const u8 * ric,size_t ric_len,const u8 * rsnxe,size_t rsnxe_len,const struct wpabuf * extra,u8 * mic)886 int wpa_ft_mic(int key_mgmt, const u8 *kck, size_t kck_len, const u8 *sta_addr,
887 const u8 *ap_addr, u8 transaction_seqnum,
888 const u8 *mdie, size_t mdie_len,
889 const u8 *ftie, size_t ftie_len,
890 const u8 *rsnie, size_t rsnie_len,
891 const u8 *ric, size_t ric_len,
892 const u8 *rsnxe, size_t rsnxe_len,
893 const struct wpabuf *extra,
894 u8 *mic)
895 {
896 const u8 *addr[11];
897 size_t len[11];
898 size_t i, num_elem = 0;
899 u8 zero_mic[32];
900 size_t mic_len, fte_fixed_len;
901 int res;
902
903 if (kck_len == 16) {
904 mic_len = 16;
905 #ifdef CONFIG_SHA384
906 } else if (kck_len == 24) {
907 mic_len = 24;
908 #endif /* CONFIG_SHA384 */
909 #ifdef CONFIG_SHA512
910 } else if (kck_len == 32) {
911 mic_len = 32;
912 #endif /* CONFIG_SHA512 */
913 } else {
914 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u",
915 (unsigned int) kck_len);
916 return -1;
917 }
918
919 fte_fixed_len = sizeof(struct rsn_ftie) - 16 + mic_len;
920
921 addr[num_elem] = sta_addr;
922 len[num_elem] = ETH_ALEN;
923 num_elem++;
924
925 addr[num_elem] = ap_addr;
926 len[num_elem] = ETH_ALEN;
927 num_elem++;
928
929 addr[num_elem] = &transaction_seqnum;
930 len[num_elem] = 1;
931 num_elem++;
932
933 if (rsnie) {
934 addr[num_elem] = rsnie;
935 len[num_elem] = rsnie_len;
936 num_elem++;
937 }
938 if (mdie) {
939 addr[num_elem] = mdie;
940 len[num_elem] = mdie_len;
941 num_elem++;
942 }
943 if (ftie) {
944 if (ftie_len < 2 + fte_fixed_len)
945 return -1;
946
947 /* IE hdr and mic_control */
948 addr[num_elem] = ftie;
949 len[num_elem] = 2 + 2;
950 num_elem++;
951
952 /* MIC field with all zeros */
953 os_memset(zero_mic, 0, mic_len);
954 addr[num_elem] = zero_mic;
955 len[num_elem] = mic_len;
956 num_elem++;
957
958 /* Rest of FTIE */
959 addr[num_elem] = ftie + 2 + 2 + mic_len;
960 len[num_elem] = ftie_len - (2 + 2 + mic_len);
961 num_elem++;
962 }
963 if (ric) {
964 addr[num_elem] = ric;
965 len[num_elem] = ric_len;
966 num_elem++;
967 }
968
969 if (rsnxe) {
970 addr[num_elem] = rsnxe;
971 len[num_elem] = rsnxe_len;
972 num_elem++;
973 }
974
975 if (extra) {
976 addr[num_elem] = wpabuf_head(extra);
977 len[num_elem] = wpabuf_len(extra);
978 num_elem++;
979 }
980
981 for (i = 0; i < num_elem; i++)
982 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]);
983 res = -1;
984 #ifdef CONFIG_SHA512
985 if (kck_len == 32) {
986 u8 hash[SHA512_MAC_LEN];
987
988 if (hmac_sha512_vector(kck, kck_len, num_elem, addr, len, hash))
989 return -1;
990 os_memcpy(mic, hash, 32);
991 res = 0;
992 }
993 #endif /* CONFIG_SHA384 */
994 #ifdef CONFIG_SHA384
995 if (kck_len == 24) {
996 u8 hash[SHA384_MAC_LEN];
997
998 if (hmac_sha384_vector(kck, kck_len, num_elem, addr, len, hash))
999 return -1;
1000 os_memcpy(mic, hash, 24);
1001 res = 0;
1002 }
1003 #endif /* CONFIG_SHA384 */
1004 if (kck_len == 16 && key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
1005 u8 hash[SHA256_MAC_LEN];
1006
1007 if (hmac_sha256_vector(kck, kck_len, num_elem, addr, len, hash))
1008 return -1;
1009 os_memcpy(mic, hash, 16);
1010 res = 0;
1011 }
1012 if (kck_len == 16 && key_mgmt != WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
1013 omac1_aes_128_vector(kck, num_elem, addr, len, mic) == 0)
1014 res = 0;
1015
1016 return res;
1017 }
1018
1019
wpa_ft_parse_ftie(const u8 * ie,size_t ie_len,struct wpa_ft_ies * parse,const u8 * opt)1020 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
1021 struct wpa_ft_ies *parse, const u8 *opt)
1022 {
1023 const u8 *end, *pos;
1024 u8 link_id;
1025
1026 pos = opt;
1027 end = ie + ie_len;
1028 wpa_hexdump(MSG_DEBUG, "FT: Parse FTE subelements", pos, end - pos);
1029
1030 while (end - pos >= 2) {
1031 u8 id, len;
1032
1033 id = *pos++;
1034 len = *pos++;
1035 if (len > end - pos) {
1036 wpa_printf(MSG_DEBUG, "FT: Truncated subelement");
1037 return -1;
1038 }
1039
1040 switch (id) {
1041 case FTIE_SUBELEM_R1KH_ID:
1042 if (len != FT_R1KH_ID_LEN) {
1043 wpa_printf(MSG_DEBUG,
1044 "FT: Invalid R1KH-ID length in FTIE: %d",
1045 len);
1046 return -1;
1047 }
1048 parse->r1kh_id = pos;
1049 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID",
1050 parse->r1kh_id, FT_R1KH_ID_LEN);
1051 break;
1052 case FTIE_SUBELEM_GTK:
1053 wpa_printf(MSG_DEBUG, "FT: GTK");
1054 parse->gtk = pos;
1055 parse->gtk_len = len;
1056 break;
1057 case FTIE_SUBELEM_R0KH_ID:
1058 if (len < 1 || len > FT_R0KH_ID_MAX_LEN) {
1059 wpa_printf(MSG_DEBUG,
1060 "FT: Invalid R0KH-ID length in FTIE: %d",
1061 len);
1062 return -1;
1063 }
1064 parse->r0kh_id = pos;
1065 parse->r0kh_id_len = len;
1066 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID",
1067 parse->r0kh_id, parse->r0kh_id_len);
1068 break;
1069 case FTIE_SUBELEM_IGTK:
1070 wpa_printf(MSG_DEBUG, "FT: IGTK");
1071 parse->igtk = pos;
1072 parse->igtk_len = len;
1073 break;
1074 #ifdef CONFIG_OCV
1075 case FTIE_SUBELEM_OCI:
1076 parse->oci = pos;
1077 parse->oci_len = len;
1078 wpa_hexdump(MSG_DEBUG, "FT: OCI",
1079 parse->oci, parse->oci_len);
1080 break;
1081 #endif /* CONFIG_OCV */
1082 case FTIE_SUBELEM_BIGTK:
1083 wpa_printf(MSG_DEBUG, "FT: BIGTK");
1084 parse->bigtk = pos;
1085 parse->bigtk_len = len;
1086 break;
1087 case FTIE_SUBELEM_MLO_GTK:
1088 if (len < 2 + 1 + 1 + 8) {
1089 wpa_printf(MSG_DEBUG,
1090 "FT: Too short MLO GTK in FTE");
1091 return -1;
1092 }
1093 link_id = pos[2] & 0x0f;
1094 wpa_printf(MSG_DEBUG, "FT: MLO GTK (Link ID %u)",
1095 link_id);
1096 if (link_id >= MAX_NUM_MLD_LINKS)
1097 break;
1098 parse->valid_mlo_gtks |= BIT(link_id);
1099 parse->mlo_gtk[link_id] = pos;
1100 parse->mlo_gtk_len[link_id] = len;
1101 break;
1102 case FTIE_SUBELEM_MLO_IGTK:
1103 if (len < 2 + 6 + 1 + 1) {
1104 wpa_printf(MSG_DEBUG,
1105 "FT: Too short MLO IGTK in FTE");
1106 return -1;
1107 }
1108 link_id = pos[2 + 6] & 0x0f;
1109 wpa_printf(MSG_DEBUG, "FT: MLO IGTK (Link ID %u)",
1110 link_id);
1111 if (link_id >= MAX_NUM_MLD_LINKS)
1112 break;
1113 parse->valid_mlo_igtks |= BIT(link_id);
1114 parse->mlo_igtk[link_id] = pos;
1115 parse->mlo_igtk_len[link_id] = len;
1116 break;
1117 case FTIE_SUBELEM_MLO_BIGTK:
1118 if (len < 2 + 6 + 1 + 1) {
1119 wpa_printf(MSG_DEBUG,
1120 "FT: Too short MLO BIGTK in FTE");
1121 return -1;
1122 }
1123 link_id = pos[2 + 6] & 0x0f;
1124 wpa_printf(MSG_DEBUG, "FT: MLO BIGTK (Link ID %u)",
1125 link_id);
1126 if (link_id >= MAX_NUM_MLD_LINKS)
1127 break;
1128 parse->valid_mlo_bigtks |= BIT(link_id);
1129 parse->mlo_bigtk[link_id] = pos;
1130 parse->mlo_bigtk_len[link_id] = len;
1131 break;
1132 default:
1133 wpa_printf(MSG_DEBUG, "FT: Unknown subelem id %u", id);
1134 break;
1135 }
1136
1137 pos += len;
1138 }
1139
1140 return 0;
1141 }
1142
1143
wpa_ft_parse_fte(int key_mgmt,const u8 * ie,size_t len,struct wpa_ft_ies * parse)1144 static int wpa_ft_parse_fte(int key_mgmt, const u8 *ie, size_t len,
1145 struct wpa_ft_ies *parse)
1146 {
1147 size_t mic_len;
1148 u8 mic_len_info;
1149 const u8 *pos = ie;
1150 const u8 *end = pos + len;
1151
1152 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control", pos, 2);
1153 parse->fte_rsnxe_used = pos[0] & FTE_MIC_CTRL_RSNXE_USED;
1154 mic_len_info = (pos[0] & FTE_MIC_CTRL_MIC_LEN_MASK) >>
1155 FTE_MIC_CTRL_MIC_LEN_SHIFT;
1156 parse->fte_elem_count = pos[1];
1157 pos += 2;
1158
1159 if (key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
1160 switch (mic_len_info) {
1161 case FTE_MIC_LEN_16:
1162 mic_len = 16;
1163 break;
1164 case FTE_MIC_LEN_24:
1165 mic_len = 24;
1166 break;
1167 case FTE_MIC_LEN_32:
1168 mic_len = 32;
1169 break;
1170 default:
1171 wpa_printf(MSG_DEBUG,
1172 "FT: Unknown MIC Length subfield value %u",
1173 mic_len_info);
1174 return -1;
1175 }
1176 } else {
1177 mic_len = wpa_key_mgmt_sha384(key_mgmt) ? 24 : 16;
1178 }
1179 if (mic_len > (size_t) (end - pos)) {
1180 wpa_printf(MSG_DEBUG, "FT: No room for %zu octet MIC in FTE",
1181 mic_len);
1182 return -1;
1183 }
1184 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC", pos, mic_len);
1185 parse->fte_mic = pos;
1186 parse->fte_mic_len = mic_len;
1187 pos += mic_len;
1188
1189 if (2 * WPA_NONCE_LEN > end - pos)
1190 return -1;
1191 parse->fte_anonce = pos;
1192 wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce",
1193 parse->fte_anonce, WPA_NONCE_LEN);
1194 pos += WPA_NONCE_LEN;
1195 parse->fte_snonce = pos;
1196 wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce",
1197 parse->fte_snonce, WPA_NONCE_LEN);
1198 pos += WPA_NONCE_LEN;
1199
1200 return wpa_ft_parse_ftie(ie, len, parse, pos);
1201 }
1202
1203
wpa_ft_parse_ies(const u8 * ies,size_t ies_len,struct wpa_ft_ies * parse,int key_mgmt,bool reassoc_resp)1204 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, struct wpa_ft_ies *parse,
1205 int key_mgmt, bool reassoc_resp)
1206 {
1207 const u8 *end, *pos;
1208 struct wpa_ie_data data;
1209 int ret;
1210 int prot_ie_count = 0;
1211 const u8 *fte = NULL;
1212 size_t fte_len = 0;
1213 bool is_fte = false;
1214 struct ieee802_11_elems elems;
1215
1216 os_memset(parse, 0, sizeof(*parse));
1217 if (ies == NULL)
1218 return 0;
1219
1220 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == ParseFailed) {
1221 wpa_printf(MSG_DEBUG, "FT: Failed to parse elements");
1222 goto fail;
1223 }
1224
1225 pos = ies;
1226 end = ies + ies_len;
1227 while (end - pos >= 2) {
1228 u8 id, len;
1229
1230 id = *pos++;
1231 len = *pos++;
1232 if (len > end - pos)
1233 break;
1234
1235 if (id != WLAN_EID_FAST_BSS_TRANSITION &&
1236 id != WLAN_EID_FRAGMENT)
1237 is_fte = false;
1238
1239 switch (id) {
1240 case WLAN_EID_RSN:
1241 wpa_hexdump(MSG_DEBUG, "FT: RSNE", pos, len);
1242 parse->rsn = pos;
1243 parse->rsn_len = len;
1244 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
1245 parse->rsn_len + 2,
1246 &data);
1247 if (ret < 0) {
1248 wpa_printf(MSG_DEBUG, "FT: Failed to parse "
1249 "RSN IE: %d", ret);
1250 goto fail;
1251 }
1252 parse->rsn_capab = data.capabilities;
1253 if (data.num_pmkid == 1 && data.pmkid)
1254 parse->rsn_pmkid = data.pmkid;
1255 parse->key_mgmt = data.key_mgmt;
1256 parse->pairwise_cipher = data.pairwise_cipher;
1257 if (!key_mgmt)
1258 key_mgmt = parse->key_mgmt;
1259 break;
1260 case WLAN_EID_RSNX:
1261 wpa_hexdump(MSG_DEBUG, "FT: RSNXE", pos, len);
1262 if (len < 1)
1263 break;
1264 parse->rsnxe = pos;
1265 parse->rsnxe_len = len;
1266 break;
1267 case WLAN_EID_MOBILITY_DOMAIN:
1268 wpa_hexdump(MSG_DEBUG, "FT: MDE", pos, len);
1269 if (len < sizeof(struct rsn_mdie))
1270 goto fail;
1271 parse->mdie = pos;
1272 parse->mdie_len = len;
1273 break;
1274 case WLAN_EID_FAST_BSS_TRANSITION:
1275 wpa_hexdump(MSG_DEBUG, "FT: FTE", pos, len);
1276 /* The first two octets (MIC Control field) is in the
1277 * same offset for all cases, but the second field (MIC)
1278 * has variable length with three different values.
1279 * In particular the FT-SAE-EXT-KEY is inconvinient to
1280 * parse, so try to handle this in pieces instead of
1281 * using the struct rsn_ftie* definitions. */
1282
1283 if (len < 2)
1284 goto fail;
1285 prot_ie_count = pos[1]; /* Element Count field in
1286 * MIC Control */
1287 is_fte = true;
1288 fte = pos;
1289 fte_len = len;
1290 break;
1291 case WLAN_EID_FRAGMENT:
1292 if (is_fte) {
1293 wpa_hexdump(MSG_DEBUG, "FT: FTE fragment",
1294 pos, len);
1295 fte_len += 2 + len;
1296 }
1297 break;
1298 case WLAN_EID_TIMEOUT_INTERVAL:
1299 wpa_hexdump(MSG_DEBUG, "FT: Timeout Interval",
1300 pos, len);
1301 if (len != 5)
1302 break;
1303 parse->tie = pos;
1304 parse->tie_len = len;
1305 break;
1306 case WLAN_EID_RIC_DATA:
1307 if (parse->ric == NULL)
1308 parse->ric = pos - 2;
1309 break;
1310 }
1311
1312 pos += len;
1313 }
1314
1315 if (fte) {
1316 int res;
1317
1318 if (fte_len < 255) {
1319 res = wpa_ft_parse_fte(key_mgmt, fte, fte_len, parse);
1320 } else {
1321 parse->fte_buf = ieee802_11_defrag(fte, fte_len, false);
1322 if (!parse->fte_buf)
1323 goto fail;
1324 res = wpa_ft_parse_fte(key_mgmt,
1325 wpabuf_head(parse->fte_buf),
1326 wpabuf_len(parse->fte_buf),
1327 parse);
1328 }
1329 if (res < 0)
1330 goto fail;
1331
1332 /* FTE might be fragmented. If it is, the separate Fragment
1333 * elements are included in MIC calculation as full elements. */
1334 parse->ftie = fte;
1335 parse->ftie_len = fte_len;
1336 }
1337
1338 if (prot_ie_count == 0)
1339 return 0; /* no MIC */
1340
1341 /*
1342 * Check that the protected IE count matches with IEs included in the
1343 * frame.
1344 */
1345 if (reassoc_resp && elems.basic_mle) {
1346 unsigned int link_id;
1347
1348 /* TODO: This count should be done based on all _requested_,
1349 * not _accepted_ links. */
1350 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
1351 if (parse->mlo_gtk[link_id]) {
1352 if (parse->rsn)
1353 prot_ie_count--;
1354 if (parse->rsnxe)
1355 prot_ie_count--;
1356 }
1357 }
1358 } else {
1359 if (parse->rsn)
1360 prot_ie_count--;
1361 if (parse->rsnxe)
1362 prot_ie_count--;
1363 }
1364 if (parse->mdie)
1365 prot_ie_count--;
1366 if (parse->ftie)
1367 prot_ie_count--;
1368 if (prot_ie_count < 0) {
1369 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
1370 "the protected IE count");
1371 goto fail;
1372 }
1373
1374 if (prot_ie_count == 0 && parse->ric) {
1375 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
1376 "included in protected IE count");
1377 goto fail;
1378 }
1379
1380 /* Determine the end of the RIC IE(s) */
1381 if (parse->ric) {
1382 pos = parse->ric;
1383 while (end - pos >= 2 && 2 + pos[1] <= end - pos &&
1384 prot_ie_count) {
1385 prot_ie_count--;
1386 pos += 2 + pos[1];
1387 }
1388 parse->ric_len = pos - parse->ric;
1389 }
1390 if (prot_ie_count) {
1391 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
1392 "frame", (int) prot_ie_count);
1393 goto fail;
1394 }
1395
1396 return 0;
1397
1398 fail:
1399 wpa_ft_parse_ies_free(parse);
1400 return -1;
1401 }
1402
1403
wpa_ft_parse_ies_free(struct wpa_ft_ies * parse)1404 void wpa_ft_parse_ies_free(struct wpa_ft_ies *parse)
1405 {
1406 if (!parse)
1407 return;
1408 wpabuf_free(parse->fte_buf);
1409 parse->fte_buf = NULL;
1410 }
1411
1412 #endif /* CONFIG_IEEE80211R */
1413
1414
1415 #ifdef CONFIG_PASN
1416
1417 /*
1418 * pasn_use_sha384 - Should SHA384 be used or SHA256
1419 *
1420 * @akmp: Authentication and key management protocol
1421 * @cipher: The cipher suite
1422 *
1423 * According to IEEE P802.11az/D2.7, 12.12.7, the hash algorithm to use is the
1424 * hash algorithm defined for the Base AKM (see Table 9-151 (AKM suite
1425 * selectors)). When there is no Base AKM, the hash algorithm is selected based
1426 * on the pairwise cipher suite provided in the RSNE by the AP in the second
1427 * PASN frame. SHA-256 is used as the hash algorithm, except for the ciphers
1428 * 00-0F-AC:9 and 00-0F-AC:10 for which SHA-384 is used.
1429 */
pasn_use_sha384(int akmp,int cipher)1430 bool pasn_use_sha384(int akmp, int cipher)
1431 {
1432 return (akmp == WPA_KEY_MGMT_PASN && (cipher == WPA_CIPHER_CCMP_256 ||
1433 cipher == WPA_CIPHER_GCMP_256)) ||
1434 wpa_key_mgmt_sha384(akmp);
1435 }
1436
1437
1438 /**
1439 * pasn_pmk_to_ptk - Calculate PASN PTK from PMK, addresses, etc.
1440 * @pmk: Pairwise master key
1441 * @pmk_len: Length of PMK
1442 * @spa: Suppplicant address
1443 * @bssid: AP BSSID
1444 * @dhss: Is the shared secret (DHss) derived from the PASN ephemeral key
1445 * exchange encoded as an octet string
1446 * @dhss_len: The length of dhss in octets
1447 * @ptk: Buffer for pairwise transient key
1448 * @akmp: Negotiated AKM
1449 * @cipher: Negotiated pairwise cipher
1450 * @kdk_len: the length in octets that should be derived for HTLK. Can be zero.
1451 * @kek_len: The length in octets that should be derived for KEK. Can be zero.
1452 * Returns: 0 on success, -1 on failure
1453 */
pasn_pmk_to_ptk(const u8 * pmk,size_t pmk_len,const u8 * spa,const u8 * bssid,const u8 * dhss,size_t dhss_len,struct wpa_ptk * ptk,int akmp,int cipher,size_t kdk_len,size_t kek_len)1454 int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
1455 const u8 *spa, const u8 *bssid,
1456 const u8 *dhss, size_t dhss_len,
1457 struct wpa_ptk *ptk, int akmp, int cipher,
1458 size_t kdk_len, size_t kek_len)
1459 {
1460 u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
1461 WPA_KDK_MAX_LEN];
1462 const u8 *pos;
1463 u8 *data;
1464 size_t data_len, ptk_len;
1465 int ret = -1;
1466 const char *label = "PASN PTK Derivation";
1467
1468 if (!pmk || !pmk_len) {
1469 wpa_printf(MSG_ERROR, "PASN: No PMK set for PTK derivation");
1470 return -1;
1471 }
1472
1473 if (!dhss || !dhss_len) {
1474 wpa_printf(MSG_ERROR, "PASN: No DHss set for PTK derivation");
1475 return -1;
1476 }
1477
1478 /*
1479 * PASN-PTK = KDF(PMK, “PASN PTK Derivation”, SPA || BSSID || DHss)
1480 *
1481 * KCK = L(PASN-PTK, 0, 256)
1482 * TK = L(PASN-PTK, 256, TK_bits)
1483 * KDK = L(PASN-PTK, 256 + TK_bits, kdk_len * 8)
1484 */
1485 data_len = 2 * ETH_ALEN + dhss_len;
1486 data = os_zalloc(data_len);
1487 if (!data)
1488 return -1;
1489
1490 os_memcpy(data, spa, ETH_ALEN);
1491 os_memcpy(data + ETH_ALEN, bssid, ETH_ALEN);
1492 os_memcpy(data + 2 * ETH_ALEN, dhss, dhss_len);
1493
1494 ptk->kck_len = WPA_PASN_KCK_LEN;
1495 ptk->tk_len = wpa_cipher_key_len(cipher);
1496 ptk->kdk_len = kdk_len;
1497 ptk->kek_len = kek_len;
1498 ptk->kek2_len = 0;
1499 ptk->kck2_len = 0;
1500
1501 if (ptk->tk_len == 0) {
1502 wpa_printf(MSG_ERROR,
1503 "PASN: Unsupported cipher (0x%x) used in PTK derivation",
1504 cipher);
1505 goto err;
1506 }
1507
1508 ptk_len = ptk->kck_len + ptk->tk_len + ptk->kdk_len + ptk->kek_len;
1509 if (ptk_len > sizeof(tmp))
1510 goto err;
1511
1512 if (pasn_use_sha384(akmp, cipher)) {
1513 wpa_printf(MSG_DEBUG, "PASN: PTK derivation using SHA384");
1514
1515 if (sha384_prf(pmk, pmk_len, label, data, data_len, tmp,
1516 ptk_len) < 0)
1517 goto err;
1518 } else {
1519 wpa_printf(MSG_DEBUG, "PASN: PTK derivation using SHA256");
1520
1521 if (sha256_prf(pmk, pmk_len, label, data, data_len, tmp,
1522 ptk_len) < 0)
1523 goto err;
1524 }
1525
1526 wpa_printf(MSG_DEBUG,
1527 "PASN: PTK derivation: SPA=" MACSTR " BSSID=" MACSTR,
1528 MAC2STR(spa), MAC2STR(bssid));
1529
1530 wpa_hexdump_key(MSG_DEBUG, "PASN: DHss", dhss, dhss_len);
1531 wpa_hexdump_key(MSG_DEBUG, "PASN: PMK", pmk, pmk_len);
1532 wpa_hexdump_key(MSG_DEBUG, "PASN: PASN-PTK", tmp, ptk_len);
1533
1534 os_memcpy(ptk->kck, tmp, WPA_PASN_KCK_LEN);
1535 wpa_hexdump_key(MSG_DEBUG, "PASN: KCK:", ptk->kck, WPA_PASN_KCK_LEN);
1536 pos = &tmp[WPA_PASN_KCK_LEN];
1537
1538 if (kek_len) {
1539 os_memcpy(ptk->kek, pos, kek_len);
1540 wpa_hexdump_key(MSG_DEBUG, "PASN: KEK:",
1541 ptk->kek, ptk->kek_len);
1542 pos += kek_len;
1543 }
1544
1545 os_memcpy(ptk->tk, pos, ptk->tk_len);
1546 wpa_hexdump_key(MSG_DEBUG, "PASN: TK:", ptk->tk, ptk->tk_len);
1547 pos += ptk->tk_len;
1548
1549 if (kdk_len) {
1550 os_memcpy(ptk->kdk, pos, ptk->kdk_len);
1551 wpa_hexdump_key(MSG_DEBUG, "PASN: KDK:",
1552 ptk->kdk, ptk->kdk_len);
1553 }
1554
1555 ptk->ptk_len = ptk_len;
1556 forced_memzero(tmp, sizeof(tmp));
1557 ret = 0;
1558 err:
1559 bin_clear_free(data, data_len);
1560 return ret;
1561 }
1562
1563
1564 /*
1565 * pasn_mic_len - Returns the MIC length for PASN authentication
1566 */
pasn_mic_len(int akmp,int cipher)1567 u8 pasn_mic_len(int akmp, int cipher)
1568 {
1569 if (pasn_use_sha384(akmp, cipher))
1570 return 24;
1571
1572 return 16;
1573 }
1574
1575
1576 /**
1577 * wpa_ltf_keyseed - Compute LTF keyseed from KDK
1578 * @ptk: Buffer that holds pairwise transient key
1579 * @akmp: Negotiated AKM
1580 * @cipher: Negotiated pairwise cipher
1581 * Returns: 0 on success, -1 on failure
1582 */
wpa_ltf_keyseed(struct wpa_ptk * ptk,int akmp,int cipher)1583 int wpa_ltf_keyseed(struct wpa_ptk *ptk, int akmp, int cipher)
1584 {
1585 u8 *buf;
1586 size_t buf_len;
1587 u8 hash[SHA384_MAC_LEN];
1588 const u8 *kdk = ptk->kdk;
1589 size_t kdk_len = ptk->kdk_len;
1590 const char *label = "Secure LTF key seed";
1591
1592 if (!kdk || !kdk_len) {
1593 wpa_printf(MSG_ERROR, "WPA: No KDK for LTF keyseed generation");
1594 return -1;
1595 }
1596
1597 buf = (u8 *)label;
1598 buf_len = os_strlen(label);
1599
1600 if (pasn_use_sha384(akmp, cipher)) {
1601 wpa_printf(MSG_DEBUG,
1602 "WPA: Secure LTF keyseed using HMAC-SHA384");
1603
1604 if (hmac_sha384(kdk, kdk_len, buf, buf_len, hash)) {
1605 wpa_printf(MSG_ERROR,
1606 "WPA: HMAC-SHA384 compute failed");
1607 return -1;
1608 }
1609 os_memcpy(ptk->ltf_keyseed, hash, SHA384_MAC_LEN);
1610 ptk->ltf_keyseed_len = SHA384_MAC_LEN;
1611 wpa_hexdump_key(MSG_DEBUG, "WPA: Secure LTF keyseed: ",
1612 ptk->ltf_keyseed, ptk->ltf_keyseed_len);
1613
1614 } else {
1615 wpa_printf(MSG_DEBUG, "WPA: LTF keyseed using HMAC-SHA256");
1616
1617 if (hmac_sha256(kdk, kdk_len, buf, buf_len, hash)) {
1618 wpa_printf(MSG_ERROR,
1619 "WPA: HMAC-SHA256 compute failed");
1620 return -1;
1621 }
1622 os_memcpy(ptk->ltf_keyseed, hash, SHA256_MAC_LEN);
1623 ptk->ltf_keyseed_len = SHA256_MAC_LEN;
1624 wpa_hexdump_key(MSG_DEBUG, "WPA: Secure LTF keyseed: ",
1625 ptk->ltf_keyseed, ptk->ltf_keyseed_len);
1626 }
1627
1628 return 0;
1629 }
1630
1631
1632 /**
1633 * pasn_mic - Calculate PASN MIC
1634 * @kck: The key confirmation key for the PASN PTKSA
1635 * @akmp: Negotiated AKM
1636 * @cipher: Negotiated pairwise cipher
1637 * @addr1: For the 2nd PASN frame supplicant address; for the 3rd frame the
1638 * BSSID
1639 * @addr2: For the 2nd PASN frame the BSSID; for the 3rd frame the supplicant
1640 * address
1641 * @data: For calculating the MIC for the 2nd PASN frame, this should hold the
1642 * Beacon frame RSNE + RSNXE. For calculating the MIC for the 3rd PASN
1643 * frame, this should hold the hash of the body of the PASN 1st frame.
1644 * @data_len: The length of data
1645 * @frame: The body of the PASN frame including the MIC element with the octets
1646 * in the MIC field of the MIC element set to 0.
1647 * @frame_len: The length of frame
1648 * @mic: Buffer to hold the MIC on success. Should be big enough to handle the
1649 * maximal MIC length
1650 * Returns: 0 on success, -1 on failure
1651 */
pasn_mic(const u8 * kck,int akmp,int cipher,const u8 * addr1,const u8 * addr2,const u8 * data,size_t data_len,const u8 * frame,size_t frame_len,u8 * mic)1652 int pasn_mic(const u8 *kck, int akmp, int cipher,
1653 const u8 *addr1, const u8 *addr2,
1654 const u8 *data, size_t data_len,
1655 const u8 *frame, size_t frame_len, u8 *mic)
1656 {
1657 u8 *buf;
1658 u8 hash[SHA384_MAC_LEN];
1659 size_t buf_len = 2 * ETH_ALEN + data_len + frame_len;
1660 int ret = -1;
1661
1662 if (!kck) {
1663 wpa_printf(MSG_ERROR, "PASN: No KCK for MIC calculation");
1664 return -1;
1665 }
1666
1667 if (!data || !data_len) {
1668 wpa_printf(MSG_ERROR, "PASN: invalid data for MIC calculation");
1669 return -1;
1670 }
1671
1672 if (!frame || !frame_len) {
1673 wpa_printf(MSG_ERROR, "PASN: invalid data for MIC calculation");
1674 return -1;
1675 }
1676
1677 buf = os_zalloc(buf_len);
1678 if (!buf)
1679 return -1;
1680
1681 os_memcpy(buf, addr1, ETH_ALEN);
1682 os_memcpy(buf + ETH_ALEN, addr2, ETH_ALEN);
1683
1684 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: data", data, data_len);
1685 os_memcpy(buf + 2 * ETH_ALEN, data, data_len);
1686
1687 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: frame", frame, frame_len);
1688 os_memcpy(buf + 2 * ETH_ALEN + data_len, frame, frame_len);
1689
1690 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: KCK", kck, WPA_PASN_KCK_LEN);
1691 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: buf", buf, buf_len);
1692
1693 if (pasn_use_sha384(akmp, cipher)) {
1694 wpa_printf(MSG_DEBUG, "PASN: MIC using HMAC-SHA384");
1695
1696 if (hmac_sha384(kck, WPA_PASN_KCK_LEN, buf, buf_len, hash))
1697 goto err;
1698
1699 os_memcpy(mic, hash, 24);
1700 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: mic: ", mic, 24);
1701 } else {
1702 wpa_printf(MSG_DEBUG, "PASN: MIC using HMAC-SHA256");
1703
1704 if (hmac_sha256(kck, WPA_PASN_KCK_LEN, buf, buf_len, hash))
1705 goto err;
1706
1707 os_memcpy(mic, hash, 16);
1708 wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: mic: ", mic, 16);
1709 }
1710
1711 ret = 0;
1712 err:
1713 bin_clear_free(buf, buf_len);
1714 return ret;
1715 }
1716
1717
1718 /**
1719 * pasn_auth_frame_hash - Computes a hash of an Authentication frame body
1720 * @akmp: Negotiated AKM
1721 * @cipher: Negotiated pairwise cipher
1722 * @data: Pointer to the Authentication frame body
1723 * @len: Length of the Authentication frame body
1724 * @hash: On return would hold the computed hash. Should be big enough to handle
1725 * SHA384.
1726 * Returns: 0 on success, -1 on failure
1727 */
pasn_auth_frame_hash(int akmp,int cipher,const u8 * data,size_t len,u8 * hash)1728 int pasn_auth_frame_hash(int akmp, int cipher, const u8 *data, size_t len,
1729 u8 *hash)
1730 {
1731 if (pasn_use_sha384(akmp, cipher)) {
1732 wpa_printf(MSG_DEBUG, "PASN: Frame hash using SHA-384");
1733 return sha384_vector(1, &data, &len, hash);
1734 } else {
1735 wpa_printf(MSG_DEBUG, "PASN: Frame hash using SHA-256");
1736 return sha256_vector(1, &data, &len, hash);
1737 }
1738 }
1739
1740 #endif /* CONFIG_PASN */
1741
1742
rsn_selector_to_bitfield(const u8 * s)1743 static int rsn_selector_to_bitfield(const u8 *s)
1744 {
1745 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
1746 return WPA_CIPHER_NONE;
1747 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
1748 return WPA_CIPHER_TKIP;
1749 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
1750 return WPA_CIPHER_CCMP;
1751 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
1752 return WPA_CIPHER_AES_128_CMAC;
1753 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP)
1754 return WPA_CIPHER_GCMP;
1755 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256)
1756 return WPA_CIPHER_CCMP_256;
1757 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256)
1758 return WPA_CIPHER_GCMP_256;
1759 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128)
1760 return WPA_CIPHER_BIP_GMAC_128;
1761 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256)
1762 return WPA_CIPHER_BIP_GMAC_256;
1763 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256)
1764 return WPA_CIPHER_BIP_CMAC_256;
1765 if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED)
1766 return WPA_CIPHER_GTK_NOT_USED;
1767 return 0;
1768 }
1769
1770
rsn_key_mgmt_to_bitfield(const u8 * s)1771 static int rsn_key_mgmt_to_bitfield(const u8 *s)
1772 {
1773 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
1774 return WPA_KEY_MGMT_IEEE8021X;
1775 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
1776 return WPA_KEY_MGMT_PSK;
1777 #ifdef CONFIG_IEEE80211R
1778 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
1779 return WPA_KEY_MGMT_FT_IEEE8021X;
1780 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
1781 return WPA_KEY_MGMT_FT_PSK;
1782 #ifdef CONFIG_SHA384
1783 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384)
1784 return WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
1785 #endif /* CONFIG_SHA384 */
1786 #endif /* CONFIG_IEEE80211R */
1787 #ifdef CONFIG_SHA384
1788 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA384)
1789 return WPA_KEY_MGMT_IEEE8021X_SHA384;
1790 #endif /* CONFIG_SHA384 */
1791 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
1792 return WPA_KEY_MGMT_IEEE8021X_SHA256;
1793 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
1794 return WPA_KEY_MGMT_PSK_SHA256;
1795 #ifdef CONFIG_SAE
1796 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
1797 return WPA_KEY_MGMT_SAE;
1798 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE_EXT_KEY)
1799 return WPA_KEY_MGMT_SAE_EXT_KEY;
1800 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
1801 return WPA_KEY_MGMT_FT_SAE;
1802 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY)
1803 return WPA_KEY_MGMT_FT_SAE_EXT_KEY;
1804 #endif /* CONFIG_SAE */
1805 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
1806 return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
1807 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
1808 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
1809 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256)
1810 return WPA_KEY_MGMT_FILS_SHA256;
1811 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384)
1812 return WPA_KEY_MGMT_FILS_SHA384;
1813 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256)
1814 return WPA_KEY_MGMT_FT_FILS_SHA256;
1815 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
1816 return WPA_KEY_MGMT_FT_FILS_SHA384;
1817 #ifdef CONFIG_OWE
1818 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE)
1819 return WPA_KEY_MGMT_OWE;
1820 #endif /* CONFIG_OWE */
1821 #ifdef CONFIG_DPP
1822 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP)
1823 return WPA_KEY_MGMT_DPP;
1824 #endif /* CONFIG_DPP */
1825 #ifdef CONFIG_PASN
1826 if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PASN)
1827 return WPA_KEY_MGMT_PASN;
1828 #endif /* CONFIG_PASN */
1829 return 0;
1830 }
1831
1832
wpa_cipher_valid_group(int cipher)1833 int wpa_cipher_valid_group(int cipher)
1834 {
1835 return wpa_cipher_valid_pairwise(cipher) ||
1836 cipher == WPA_CIPHER_GTK_NOT_USED;
1837 }
1838
1839
wpa_cipher_valid_mgmt_group(int cipher)1840 int wpa_cipher_valid_mgmt_group(int cipher)
1841 {
1842 return cipher == WPA_CIPHER_GTK_NOT_USED ||
1843 cipher == WPA_CIPHER_AES_128_CMAC ||
1844 cipher == WPA_CIPHER_BIP_GMAC_128 ||
1845 cipher == WPA_CIPHER_BIP_GMAC_256 ||
1846 cipher == WPA_CIPHER_BIP_CMAC_256;
1847 }
1848
1849
1850 /**
1851 * wpa_parse_wpa_ie_rsn - Parse RSN IE
1852 * @rsn_ie: Buffer containing RSN IE
1853 * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
1854 * @data: Pointer to structure that will be filled in with parsed data
1855 * Returns: 0 on success, <0 on failure
1856 */
wpa_parse_wpa_ie_rsn(const u8 * rsn_ie,size_t rsn_ie_len,struct wpa_ie_data * data)1857 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
1858 struct wpa_ie_data *data)
1859 {
1860 const u8 *pos;
1861 int left;
1862 int i, count;
1863
1864 os_memset(data, 0, sizeof(*data));
1865 data->proto = WPA_PROTO_RSN;
1866 data->pairwise_cipher = WPA_CIPHER_CCMP;
1867 data->group_cipher = WPA_CIPHER_CCMP;
1868 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1869 data->capabilities = 0;
1870 data->pmkid = NULL;
1871 data->num_pmkid = 0;
1872 data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
1873
1874 if (rsn_ie_len == 0) {
1875 /* No RSN IE - fail silently */
1876 return -1;
1877 }
1878
1879 if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
1880 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1881 __func__, (unsigned long) rsn_ie_len);
1882 return -1;
1883 }
1884
1885 if (rsn_ie_len >= 2 + 4 + 2 && rsn_ie[1] >= 4 + 2 &&
1886 rsn_ie[1] == rsn_ie_len - 2 &&
1887 (WPA_GET_BE32(&rsn_ie[2]) == RSNE_OVERRIDE_IE_VENDOR_TYPE ||
1888 WPA_GET_BE32(&rsn_ie[2]) ==
1889 RSNE_OVERRIDE_2_IE_VENDOR_TYPE) &&
1890 WPA_GET_LE16(&rsn_ie[2 + 4]) == RSN_VERSION) {
1891 pos = rsn_ie + 2 + 4 + 2;
1892 left = rsn_ie_len - 2 - 4 - 2;
1893 } else {
1894 const struct rsn_ie_hdr *hdr;
1895
1896 hdr = (const struct rsn_ie_hdr *) rsn_ie;
1897
1898 if (hdr->elem_id != WLAN_EID_RSN ||
1899 hdr->len != rsn_ie_len - 2 ||
1900 WPA_GET_LE16(hdr->version) != RSN_VERSION) {
1901 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1902 __func__);
1903 return -2;
1904 }
1905
1906 pos = (const u8 *) (hdr + 1);
1907 left = rsn_ie_len - sizeof(*hdr);
1908 }
1909
1910 if (left >= RSN_SELECTOR_LEN) {
1911 data->group_cipher = rsn_selector_to_bitfield(pos);
1912 data->has_group = 1;
1913 if (!wpa_cipher_valid_group(data->group_cipher)) {
1914 wpa_printf(MSG_DEBUG,
1915 "%s: invalid group cipher 0x%x (%08x)",
1916 __func__, data->group_cipher,
1917 WPA_GET_BE32(pos));
1918 #ifdef CONFIG_NO_TKIP
1919 if (RSN_SELECTOR_GET(pos) == RSN_CIPHER_SUITE_TKIP) {
1920 wpa_printf(MSG_DEBUG,
1921 "%s: TKIP as group cipher not supported in CONFIG_NO_TKIP=y build",
1922 __func__);
1923 }
1924 #endif /* CONFIG_NO_TKIP */
1925 return -1;
1926 }
1927 pos += RSN_SELECTOR_LEN;
1928 left -= RSN_SELECTOR_LEN;
1929 } else if (left > 0) {
1930 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1931 __func__, left);
1932 return -3;
1933 }
1934
1935 if (left >= 2) {
1936 data->pairwise_cipher = 0;
1937 count = WPA_GET_LE16(pos);
1938 pos += 2;
1939 left -= 2;
1940 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1941 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1942 "count %u left %u", __func__, count, left);
1943 return -4;
1944 }
1945 if (count)
1946 data->has_pairwise = 1;
1947 for (i = 0; i < count; i++) {
1948 data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
1949 pos += RSN_SELECTOR_LEN;
1950 left -= RSN_SELECTOR_LEN;
1951 }
1952 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
1953 wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
1954 "pairwise cipher", __func__);
1955 return -1;
1956 }
1957 } else if (left == 1) {
1958 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1959 __func__);
1960 return -5;
1961 }
1962
1963 if (left >= 2) {
1964 data->key_mgmt = 0;
1965 count = WPA_GET_LE16(pos);
1966 pos += 2;
1967 left -= 2;
1968 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1969 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1970 "count %u left %u", __func__, count, left);
1971 return -6;
1972 }
1973 for (i = 0; i < count; i++) {
1974 data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
1975 pos += RSN_SELECTOR_LEN;
1976 left -= RSN_SELECTOR_LEN;
1977 }
1978 } else if (left == 1) {
1979 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1980 __func__);
1981 return -7;
1982 }
1983
1984 if (left >= 2) {
1985 data->capabilities = WPA_GET_LE16(pos);
1986 pos += 2;
1987 left -= 2;
1988 }
1989
1990 if (left >= 2) {
1991 u16 num_pmkid = WPA_GET_LE16(pos);
1992 pos += 2;
1993 left -= 2;
1994 if (num_pmkid > (unsigned int) left / PMKID_LEN) {
1995 wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
1996 "(num_pmkid=%u left=%d)",
1997 __func__, num_pmkid, left);
1998 data->num_pmkid = 0;
1999 return -9;
2000 } else {
2001 data->num_pmkid = num_pmkid;
2002 data->pmkid = pos;
2003 pos += data->num_pmkid * PMKID_LEN;
2004 left -= data->num_pmkid * PMKID_LEN;
2005 }
2006 }
2007
2008 if (left >= 4) {
2009 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
2010 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
2011 wpa_printf(MSG_DEBUG,
2012 "%s: Unsupported management group cipher 0x%x (%08x)",
2013 __func__, data->mgmt_group_cipher,
2014 WPA_GET_BE32(pos));
2015 return -10;
2016 }
2017 pos += RSN_SELECTOR_LEN;
2018 left -= RSN_SELECTOR_LEN;
2019 }
2020
2021 if (left > 0) {
2022 wpa_hexdump(MSG_DEBUG,
2023 "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
2024 pos, left);
2025 }
2026
2027 return 0;
2028 }
2029
2030
wpa_selector_to_bitfield(const u8 * s)2031 static int wpa_selector_to_bitfield(const u8 *s)
2032 {
2033 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
2034 return WPA_CIPHER_NONE;
2035 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
2036 return WPA_CIPHER_TKIP;
2037 if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
2038 return WPA_CIPHER_CCMP;
2039 return 0;
2040 }
2041
2042
wpa_key_mgmt_to_bitfield(const u8 * s)2043 static int wpa_key_mgmt_to_bitfield(const u8 *s)
2044 {
2045 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
2046 return WPA_KEY_MGMT_IEEE8021X;
2047 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
2048 return WPA_KEY_MGMT_PSK;
2049 if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
2050 return WPA_KEY_MGMT_WPA_NONE;
2051 return 0;
2052 }
2053
2054
wpa_parse_wpa_ie_wpa(const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ie_data * data)2055 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
2056 struct wpa_ie_data *data)
2057 {
2058 const struct wpa_ie_hdr *hdr;
2059 const u8 *pos;
2060 int left;
2061 int i, count;
2062
2063 os_memset(data, 0, sizeof(*data));
2064 data->proto = WPA_PROTO_WPA;
2065 data->pairwise_cipher = WPA_CIPHER_TKIP;
2066 data->group_cipher = WPA_CIPHER_TKIP;
2067 data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
2068 data->capabilities = 0;
2069 data->pmkid = NULL;
2070 data->num_pmkid = 0;
2071 data->mgmt_group_cipher = 0;
2072
2073 if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
2074 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
2075 __func__, (unsigned long) wpa_ie_len);
2076 return -1;
2077 }
2078
2079 hdr = (const struct wpa_ie_hdr *) wpa_ie;
2080
2081 if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
2082 hdr->len != wpa_ie_len - 2 ||
2083 RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
2084 WPA_GET_LE16(hdr->version) != WPA_VERSION) {
2085 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
2086 __func__);
2087 return -2;
2088 }
2089
2090 pos = (const u8 *) (hdr + 1);
2091 left = wpa_ie_len - sizeof(*hdr);
2092
2093 if (left >= WPA_SELECTOR_LEN) {
2094 data->group_cipher = wpa_selector_to_bitfield(pos);
2095 pos += WPA_SELECTOR_LEN;
2096 left -= WPA_SELECTOR_LEN;
2097 } else if (left > 0) {
2098 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
2099 __func__, left);
2100 return -3;
2101 }
2102
2103 if (left >= 2) {
2104 data->pairwise_cipher = 0;
2105 count = WPA_GET_LE16(pos);
2106 pos += 2;
2107 left -= 2;
2108 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
2109 wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
2110 "count %u left %u", __func__, count, left);
2111 return -4;
2112 }
2113 for (i = 0; i < count; i++) {
2114 data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
2115 pos += WPA_SELECTOR_LEN;
2116 left -= WPA_SELECTOR_LEN;
2117 }
2118 } else if (left == 1) {
2119 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
2120 __func__);
2121 return -5;
2122 }
2123
2124 if (left >= 2) {
2125 data->key_mgmt = 0;
2126 count = WPA_GET_LE16(pos);
2127 pos += 2;
2128 left -= 2;
2129 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
2130 wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
2131 "count %u left %u", __func__, count, left);
2132 return -6;
2133 }
2134 for (i = 0; i < count; i++) {
2135 data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
2136 pos += WPA_SELECTOR_LEN;
2137 left -= WPA_SELECTOR_LEN;
2138 }
2139 } else if (left == 1) {
2140 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
2141 __func__);
2142 return -7;
2143 }
2144
2145 if (left >= 2) {
2146 data->capabilities = WPA_GET_LE16(pos);
2147 pos += 2;
2148 left -= 2;
2149 }
2150
2151 if (left > 0) {
2152 wpa_hexdump(MSG_DEBUG,
2153 "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
2154 pos, left);
2155 }
2156
2157 return 0;
2158 }
2159
2160
wpa_default_rsn_cipher(int freq)2161 int wpa_default_rsn_cipher(int freq)
2162 {
2163 if (freq > 56160)
2164 return WPA_CIPHER_GCMP; /* DMG */
2165
2166 return WPA_CIPHER_CCMP;
2167 }
2168
2169
2170 #ifdef CONFIG_IEEE80211R
2171
2172 /**
2173 * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
2174 *
2175 * IEEE Std 802.11r-2008 - 8.5.1.5.3
2176 */
wpa_derive_pmk_r0(const u8 * xxkey,size_t xxkey_len,const u8 * ssid,size_t ssid_len,const u8 * mdid,const u8 * r0kh_id,size_t r0kh_id_len,const u8 * s0kh_id,u8 * pmk_r0,u8 * pmk_r0_name,int key_mgmt)2177 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
2178 const u8 *ssid, size_t ssid_len,
2179 const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
2180 const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name,
2181 int key_mgmt)
2182 {
2183 u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
2184 FT_R0KH_ID_MAX_LEN + ETH_ALEN];
2185 u8 *pos, r0_key_data[64 + 16], hash[64];
2186 const u8 *addr[2];
2187 size_t len[2];
2188 size_t q, r0_key_data_len;
2189 int res;
2190
2191 if (key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
2192 (xxkey_len == SHA256_MAC_LEN || xxkey_len == SHA384_MAC_LEN ||
2193 xxkey_len == SHA512_MAC_LEN))
2194 q = xxkey_len;
2195 else if (wpa_key_mgmt_sha384(key_mgmt))
2196 q = SHA384_MAC_LEN;
2197 else
2198 q = SHA256_MAC_LEN;
2199 r0_key_data_len = q + 16;
2200
2201 /*
2202 * R0-Key-Data = KDF-Hash-Length(XXKey, "FT-R0",
2203 * SSIDlength || SSID || MDID || R0KHlength ||
2204 * R0KH-ID || S0KH-ID)
2205 * XXKey is either the second 256 bits of MSK or PSK; or the first
2206 * 384 bits of MSK for FT-EAP-SHA384; or PMK from SAE.
2207 * PMK-R0 = L(R0-Key-Data, 0, Q)
2208 * PMK-R0Name-Salt = L(R0-Key-Data, Q, 128)
2209 * Q = 384 for FT-EAP-SHA384; the length of the digest generated by H()
2210 * for FT-SAE-EXT-KEY; or otherwise, 256
2211 */
2212 if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
2213 return -1;
2214 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R0 using KDF-SHA%zu", q * 8);
2215 wpa_hexdump_key(MSG_DEBUG, "FT: XXKey", xxkey, xxkey_len);
2216 wpa_hexdump_ascii(MSG_DEBUG, "FT: SSID", ssid, ssid_len);
2217 wpa_hexdump(MSG_DEBUG, "FT: MDID", mdid, MOBILITY_DOMAIN_ID_LEN);
2218 wpa_hexdump_ascii(MSG_DEBUG, "FT: R0KH-ID", r0kh_id, r0kh_id_len);
2219 wpa_printf(MSG_DEBUG, "FT: S0KH-ID: " MACSTR, MAC2STR(s0kh_id));
2220 pos = buf;
2221 *pos++ = ssid_len;
2222 os_memcpy(pos, ssid, ssid_len);
2223 pos += ssid_len;
2224 os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
2225 pos += MOBILITY_DOMAIN_ID_LEN;
2226 *pos++ = r0kh_id_len;
2227 os_memcpy(pos, r0kh_id, r0kh_id_len);
2228 pos += r0kh_id_len;
2229 os_memcpy(pos, s0kh_id, ETH_ALEN);
2230 pos += ETH_ALEN;
2231
2232 res = -1;
2233 #ifdef CONFIG_SHA512
2234 if (q == SHA512_MAC_LEN) {
2235 if (xxkey_len != SHA512_MAC_LEN) {
2236 wpa_printf(MSG_ERROR,
2237 "FT: Unexpected XXKey length %d (expected %d)",
2238 (int) xxkey_len, SHA512_MAC_LEN);
2239 return -1;
2240 }
2241 res = sha512_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
2242 r0_key_data, r0_key_data_len);
2243 }
2244 #endif /* CONFIG_SHA512 */
2245 #ifdef CONFIG_SHA384
2246 if (q == SHA384_MAC_LEN) {
2247 if (xxkey_len != SHA384_MAC_LEN) {
2248 wpa_printf(MSG_ERROR,
2249 "FT: Unexpected XXKey length %d (expected %d)",
2250 (int) xxkey_len, SHA384_MAC_LEN);
2251 return -1;
2252 }
2253 res = sha384_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
2254 r0_key_data, r0_key_data_len);
2255 }
2256 #endif /* CONFIG_SHA384 */
2257 if (q == SHA256_MAC_LEN) {
2258 if (xxkey_len != PMK_LEN) {
2259 wpa_printf(MSG_ERROR,
2260 "FT: Unexpected XXKey length %d (expected %d)",
2261 (int) xxkey_len, PMK_LEN);
2262 return -1;
2263 }
2264 res = sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
2265 r0_key_data, r0_key_data_len);
2266 }
2267 if (res < 0)
2268 return res;
2269 os_memcpy(pmk_r0, r0_key_data, q);
2270 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, q);
2271 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0Name-Salt", &r0_key_data[q], 16);
2272
2273 /*
2274 * PMKR0Name = Truncate-128(Hash("FT-R0N" || PMK-R0Name-Salt)
2275 */
2276 addr[0] = (const u8 *) "FT-R0N";
2277 len[0] = 6;
2278 addr[1] = &r0_key_data[q];
2279 len[1] = 16;
2280
2281 res = -1;
2282 #ifdef CONFIG_SHA512
2283 if (q == SHA512_MAC_LEN)
2284 res = sha512_vector(2, addr, len, hash);
2285 #endif /* CONFIG_SHA512 */
2286 #ifdef CONFIG_SHA384
2287 if (q == SHA384_MAC_LEN)
2288 res = sha384_vector(2, addr, len, hash);
2289 #endif /* CONFIG_SHA384 */
2290 if (q == SHA256_MAC_LEN)
2291 res = sha256_vector(2, addr, len, hash);
2292 if (res < 0) {
2293 wpa_printf(MSG_DEBUG,
2294 "FT: Failed to derive PMKR0Name (PMK-R0 len %zu)",
2295 q);
2296 return res;
2297 }
2298 os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
2299 wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
2300 forced_memzero(r0_key_data, sizeof(r0_key_data));
2301 return 0;
2302 }
2303
2304
2305 /**
2306 * wpa_derive_pmk_r1_name - Derive PMKR1Name
2307 *
2308 * IEEE Std 802.11r-2008 - 8.5.1.5.4
2309 */
wpa_derive_pmk_r1_name(const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1_name,size_t pmk_r1_len)2310 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
2311 const u8 *s1kh_id, u8 *pmk_r1_name,
2312 size_t pmk_r1_len)
2313 {
2314 u8 hash[64];
2315 const u8 *addr[4];
2316 size_t len[4];
2317 int res;
2318 const char *title;
2319
2320 /*
2321 * PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name ||
2322 * R1KH-ID || S1KH-ID))
2323 */
2324 addr[0] = (const u8 *) "FT-R1N";
2325 len[0] = 6;
2326 addr[1] = pmk_r0_name;
2327 len[1] = WPA_PMK_NAME_LEN;
2328 addr[2] = r1kh_id;
2329 len[2] = FT_R1KH_ID_LEN;
2330 addr[3] = s1kh_id;
2331 len[3] = ETH_ALEN;
2332
2333 res = -1;
2334 #ifdef CONFIG_SHA512
2335 if (pmk_r1_len == SHA512_MAC_LEN) {
2336 title = "FT: PMKR1Name (using SHA512)";
2337 res = sha512_vector(4, addr, len, hash);
2338 }
2339 #endif /* CONFIG_SHA512 */
2340 #ifdef CONFIG_SHA384
2341 if (pmk_r1_len == SHA384_MAC_LEN) {
2342 title = "FT: PMKR1Name (using SHA384)";
2343 res = sha384_vector(4, addr, len, hash);
2344 }
2345 #endif /* CONFIG_SHA384 */
2346 if (pmk_r1_len == SHA256_MAC_LEN) {
2347 title = "FT: PMKR1Name (using SHA256)";
2348 res = sha256_vector(4, addr, len, hash);
2349 }
2350 if (res < 0) {
2351 wpa_printf(MSG_DEBUG,
2352 "FT: Failed to derive PMKR1Name (PMK-R1 len %zu)",
2353 pmk_r1_len);
2354 return res;
2355 }
2356 os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
2357 wpa_hexdump(MSG_DEBUG, title, pmk_r1_name, WPA_PMK_NAME_LEN);
2358 return 0;
2359 }
2360
2361
2362 /**
2363 * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
2364 *
2365 * IEEE Std 802.11r-2008 - 8.5.1.5.4
2366 */
wpa_derive_pmk_r1(const u8 * pmk_r0,size_t pmk_r0_len,const u8 * pmk_r0_name,const u8 * r1kh_id,const u8 * s1kh_id,u8 * pmk_r1,u8 * pmk_r1_name)2367 int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len,
2368 const u8 *pmk_r0_name,
2369 const u8 *r1kh_id, const u8 *s1kh_id,
2370 u8 *pmk_r1, u8 *pmk_r1_name)
2371 {
2372 u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
2373 u8 *pos;
2374 int res;
2375
2376 /* PMK-R1 = KDF-Hash(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
2377 wpa_printf(MSG_DEBUG, "FT: Derive PMK-R1 using KDF-SHA%zu",
2378 pmk_r0_len * 8);
2379 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, pmk_r0_len);
2380 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", r1kh_id, FT_R1KH_ID_LEN);
2381 wpa_printf(MSG_DEBUG, "FT: S1KH-ID: " MACSTR, MAC2STR(s1kh_id));
2382 pos = buf;
2383 os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
2384 pos += FT_R1KH_ID_LEN;
2385 os_memcpy(pos, s1kh_id, ETH_ALEN);
2386 pos += ETH_ALEN;
2387
2388 res = -1;
2389 #ifdef CONFIG_SHA512
2390 if (pmk_r0_len == SHA512_MAC_LEN)
2391 res = sha512_prf(pmk_r0, pmk_r0_len, "FT-R1",
2392 buf, pos - buf, pmk_r1, pmk_r0_len);
2393 #endif /* CONFIG_SHA512 */
2394 #ifdef CONFIG_SHA384
2395 if (pmk_r0_len == SHA384_MAC_LEN)
2396 res = sha384_prf(pmk_r0, pmk_r0_len, "FT-R1",
2397 buf, pos - buf, pmk_r1, pmk_r0_len);
2398 #endif /* CONFIG_SHA384 */
2399 if (pmk_r0_len == SHA256_MAC_LEN)
2400 res = sha256_prf(pmk_r0, pmk_r0_len, "FT-R1",
2401 buf, pos - buf, pmk_r1, pmk_r0_len);
2402 if (res < 0) {
2403 wpa_printf(MSG_ERROR, "FT: Failed to derive PMK-R1");
2404 return res;
2405 }
2406 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len);
2407
2408 return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
2409 pmk_r1_name, pmk_r0_len);
2410 }
2411
2412
2413 /**
2414 * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
2415 *
2416 * IEEE Std 802.11r-2008 - 8.5.1.5.5
2417 */
wpa_pmk_r1_to_ptk(const u8 * pmk_r1,size_t pmk_r1_len,const u8 * snonce,const u8 * anonce,const u8 * sta_addr,const u8 * bssid,const u8 * pmk_r1_name,struct wpa_ptk * ptk,u8 * ptk_name,int akmp,int cipher,size_t kdk_len)2418 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, size_t pmk_r1_len,
2419 const u8 *snonce, const u8 *anonce,
2420 const u8 *sta_addr, const u8 *bssid,
2421 const u8 *pmk_r1_name,
2422 struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher,
2423 size_t kdk_len)
2424 {
2425 u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
2426 u8 *pos, hash[32];
2427 const u8 *addr[6];
2428 size_t len[6];
2429 u8 tmp[2 * WPA_KCK_MAX_LEN + 2 * WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
2430 WPA_KDK_MAX_LEN];
2431 size_t ptk_len, offset;
2432 size_t key_len;
2433 int res;
2434
2435 if (kdk_len > WPA_KDK_MAX_LEN) {
2436 wpa_printf(MSG_ERROR,
2437 "FT: KDK len=%zu exceeds max supported len",
2438 kdk_len);
2439 return -1;
2440 }
2441
2442 if (akmp == WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
2443 (pmk_r1_len == SHA256_MAC_LEN || pmk_r1_len == SHA384_MAC_LEN ||
2444 pmk_r1_len == SHA512_MAC_LEN))
2445 key_len = pmk_r1_len;
2446 else if (wpa_key_mgmt_sha384(akmp))
2447 key_len = SHA384_MAC_LEN;
2448 else
2449 key_len = SHA256_MAC_LEN;
2450
2451 /*
2452 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
2453 * BSSID || STA-ADDR)
2454 */
2455 wpa_printf(MSG_DEBUG, "FT: Derive PTK using KDF-SHA%zu", key_len * 8);
2456 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r1_len);
2457 wpa_hexdump(MSG_DEBUG, "FT: SNonce", snonce, WPA_NONCE_LEN);
2458 wpa_hexdump(MSG_DEBUG, "FT: ANonce", anonce, WPA_NONCE_LEN);
2459 wpa_printf(MSG_DEBUG, "FT: BSSID=" MACSTR " STA-ADDR=" MACSTR,
2460 MAC2STR(bssid), MAC2STR(sta_addr));
2461 pos = buf;
2462 os_memcpy(pos, snonce, WPA_NONCE_LEN);
2463 pos += WPA_NONCE_LEN;
2464 os_memcpy(pos, anonce, WPA_NONCE_LEN);
2465 pos += WPA_NONCE_LEN;
2466 os_memcpy(pos, bssid, ETH_ALEN);
2467 pos += ETH_ALEN;
2468 os_memcpy(pos, sta_addr, ETH_ALEN);
2469 pos += ETH_ALEN;
2470
2471 ptk->kck_len = wpa_kck_len(akmp, key_len);
2472 ptk->kck2_len = wpa_kck2_len(akmp);
2473 ptk->kek_len = wpa_kek_len(akmp, key_len);
2474 ptk->kek2_len = wpa_kek2_len(akmp);
2475 ptk->tk_len = wpa_cipher_key_len(cipher);
2476 ptk->kdk_len = kdk_len;
2477 ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len +
2478 ptk->kck2_len + ptk->kek2_len + ptk->kdk_len;
2479
2480 res = -1;
2481 #ifdef CONFIG_SHA512
2482 if (key_len == SHA512_MAC_LEN) {
2483 if (pmk_r1_len != SHA512_MAC_LEN) {
2484 wpa_printf(MSG_ERROR,
2485 "FT: Unexpected PMK-R1 length %d (expected %d)",
2486 (int) pmk_r1_len, SHA512_MAC_LEN);
2487 return -1;
2488 }
2489 res = sha512_prf(pmk_r1, pmk_r1_len, "FT-PTK",
2490 buf, pos - buf, tmp, ptk_len);
2491 }
2492 #endif /* CONFIG_SHA512 */
2493 #ifdef CONFIG_SHA384
2494 if (key_len == SHA384_MAC_LEN) {
2495 if (pmk_r1_len != SHA384_MAC_LEN) {
2496 wpa_printf(MSG_ERROR,
2497 "FT: Unexpected PMK-R1 length %d (expected %d)",
2498 (int) pmk_r1_len, SHA384_MAC_LEN);
2499 return -1;
2500 }
2501 res = sha384_prf(pmk_r1, pmk_r1_len, "FT-PTK",
2502 buf, pos - buf, tmp, ptk_len);
2503 }
2504 #endif /* CONFIG_SHA384 */
2505 if (key_len == SHA256_MAC_LEN) {
2506 if (pmk_r1_len != PMK_LEN) {
2507 wpa_printf(MSG_ERROR,
2508 "FT: Unexpected PMK-R1 length %d (expected %d)",
2509 (int) pmk_r1_len, PMK_LEN);
2510 return -1;
2511 }
2512 res = sha256_prf(pmk_r1, pmk_r1_len, "FT-PTK",
2513 buf, pos - buf, tmp, ptk_len);
2514 }
2515 if (res < 0)
2516 return -1;
2517 wpa_hexdump_key(MSG_DEBUG, "FT: PTK", tmp, ptk_len);
2518
2519 /*
2520 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
2521 * ANonce || BSSID || STA-ADDR))
2522 */
2523 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN);
2524 addr[0] = pmk_r1_name;
2525 len[0] = WPA_PMK_NAME_LEN;
2526 addr[1] = (const u8 *) "FT-PTKN";
2527 len[1] = 7;
2528 addr[2] = snonce;
2529 len[2] = WPA_NONCE_LEN;
2530 addr[3] = anonce;
2531 len[3] = WPA_NONCE_LEN;
2532 addr[4] = bssid;
2533 len[4] = ETH_ALEN;
2534 addr[5] = sta_addr;
2535 len[5] = ETH_ALEN;
2536
2537 if (sha256_vector(6, addr, len, hash) < 0)
2538 return -1;
2539 os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
2540
2541 os_memcpy(ptk->kck, tmp, ptk->kck_len);
2542 offset = ptk->kck_len;
2543 os_memcpy(ptk->kek, tmp + offset, ptk->kek_len);
2544 offset += ptk->kek_len;
2545 os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
2546 offset += ptk->tk_len;
2547 os_memcpy(ptk->kck2, tmp + offset, ptk->kck2_len);
2548 offset += ptk->kck2_len;
2549 os_memcpy(ptk->kek2, tmp + offset, ptk->kek2_len);
2550 offset += ptk->kek2_len;
2551 os_memcpy(ptk->kdk, tmp + offset, ptk->kdk_len);
2552
2553 wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);
2554 wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len);
2555 if (ptk->kck2_len)
2556 wpa_hexdump_key(MSG_DEBUG, "FT: KCK2",
2557 ptk->kck2, ptk->kck2_len);
2558 if (ptk->kek2_len)
2559 wpa_hexdump_key(MSG_DEBUG, "FT: KEK2",
2560 ptk->kek2, ptk->kek2_len);
2561 if (ptk->kdk_len)
2562 wpa_hexdump_key(MSG_DEBUG, "FT: KDK", ptk->kdk, ptk->kdk_len);
2563
2564 wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len);
2565 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
2566
2567 forced_memzero(tmp, sizeof(tmp));
2568
2569 return 0;
2570 }
2571
2572 #endif /* CONFIG_IEEE80211R */
2573
2574
2575 /**
2576 * rsn_pmkid - Calculate PMK identifier
2577 * @pmk: Pairwise master key
2578 * @pmk_len: Length of pmk in bytes
2579 * @aa: Authenticator address
2580 * @spa: Supplicant address
2581 * @pmkid: Buffer for PMKID
2582 * @akmp: Negotiated key management protocol
2583 *
2584 * IEEE Std 802.11-2016 - 12.7.1.3 Pairwise key hierarchy
2585 * AKM: 00-0F-AC:3, 00-0F-AC:5, 00-0F-AC:6, 00-0F-AC:14, 00-0F-AC:16
2586 * PMKID = Truncate-128(HMAC-SHA-256(PMK, "PMK Name" || AA || SPA))
2587 * AKM: 00-0F-AC:11
2588 * See rsn_pmkid_suite_b()
2589 * AKM: 00-0F-AC:12
2590 * See rsn_pmkid_suite_b_192()
2591 * AKM: 00-0F-AC:13, 00-0F-AC:15, 00-0F-AC:17
2592 * PMKID = Truncate-128(HMAC-SHA-384(PMK, "PMK Name" || AA || SPA))
2593 * Otherwise:
2594 * PMKID = Truncate-128(HMAC-SHA-1(PMK, "PMK Name" || AA || SPA))
2595 */
rsn_pmkid(const u8 * pmk,size_t pmk_len,const u8 * aa,const u8 * spa,u8 * pmkid,int akmp)2596 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
2597 u8 *pmkid, int akmp)
2598 {
2599 char *title = "PMK Name";
2600 const u8 *addr[3];
2601 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2602 unsigned char hash[SHA384_MAC_LEN];
2603
2604 addr[0] = (u8 *) title;
2605 addr[1] = aa;
2606 addr[2] = spa;
2607
2608 if (0) {
2609 #if defined(CONFIG_FILS) || defined(CONFIG_SHA384)
2610 } else if (wpa_key_mgmt_sha384(akmp)) {
2611 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-384");
2612 hmac_sha384_vector(pmk, pmk_len, 3, addr, len, hash);
2613 #endif /* CONFIG_FILS || CONFIG_SHA384 */
2614 } else if (wpa_key_mgmt_sha256(akmp)) {
2615 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-256");
2616 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
2617 } else {
2618 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-1");
2619 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
2620 }
2621 wpa_hexdump(MSG_DEBUG, "RSN: Derived PMKID", hash, PMKID_LEN);
2622 os_memcpy(pmkid, hash, PMKID_LEN);
2623 }
2624
2625
2626 #ifdef CONFIG_SUITEB
2627 /**
2628 * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM
2629 * @kck: Key confirmation key
2630 * @kck_len: Length of kck in bytes
2631 * @aa: Authenticator address
2632 * @spa: Supplicant address
2633 * @pmkid: Buffer for PMKID
2634 * Returns: 0 on success, -1 on failure
2635 *
2636 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
2637 * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
2638 */
rsn_pmkid_suite_b(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)2639 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa,
2640 const u8 *spa, u8 *pmkid)
2641 {
2642 char *title = "PMK Name";
2643 const u8 *addr[3];
2644 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2645 unsigned char hash[SHA256_MAC_LEN];
2646
2647 addr[0] = (u8 *) title;
2648 addr[1] = aa;
2649 addr[2] = spa;
2650
2651 if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0)
2652 return -1;
2653 os_memcpy(pmkid, hash, PMKID_LEN);
2654 return 0;
2655 }
2656 #endif /* CONFIG_SUITEB */
2657
2658
2659 #ifdef CONFIG_SUITEB192
2660 /**
2661 * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM
2662 * @kck: Key confirmation key
2663 * @kck_len: Length of kck in bytes
2664 * @aa: Authenticator address
2665 * @spa: Supplicant address
2666 * @pmkid: Buffer for PMKID
2667 * Returns: 0 on success, -1 on failure
2668 *
2669 * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
2670 * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
2671 */
rsn_pmkid_suite_b_192(const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,u8 * pmkid)2672 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa,
2673 const u8 *spa, u8 *pmkid)
2674 {
2675 char *title = "PMK Name";
2676 const u8 *addr[3];
2677 const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2678 unsigned char hash[SHA384_MAC_LEN];
2679
2680 addr[0] = (u8 *) title;
2681 addr[1] = aa;
2682 addr[2] = spa;
2683
2684 if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0)
2685 return -1;
2686 os_memcpy(pmkid, hash, PMKID_LEN);
2687 return 0;
2688 }
2689 #endif /* CONFIG_SUITEB192 */
2690
2691
2692 /**
2693 * wpa_cipher_txt - Convert cipher suite to a text string
2694 * @cipher: Cipher suite (WPA_CIPHER_* enum)
2695 * Returns: Pointer to a text string of the cipher suite name
2696 */
wpa_cipher_txt(int cipher)2697 const char * wpa_cipher_txt(int cipher)
2698 {
2699 switch (cipher) {
2700 case WPA_CIPHER_NONE:
2701 return "NONE";
2702 #ifdef CONFIG_WEP
2703 case WPA_CIPHER_WEP40:
2704 return "WEP-40";
2705 case WPA_CIPHER_WEP104:
2706 return "WEP-104";
2707 #endif /* CONFIG_WEP */
2708 case WPA_CIPHER_TKIP:
2709 return "TKIP";
2710 case WPA_CIPHER_CCMP:
2711 return "CCMP";
2712 case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
2713 return "CCMP+TKIP";
2714 case WPA_CIPHER_GCMP:
2715 return "GCMP";
2716 case WPA_CIPHER_GCMP_256:
2717 return "GCMP-256";
2718 case WPA_CIPHER_CCMP_256:
2719 return "CCMP-256";
2720 case WPA_CIPHER_AES_128_CMAC:
2721 return "BIP";
2722 case WPA_CIPHER_BIP_GMAC_128:
2723 return "BIP-GMAC-128";
2724 case WPA_CIPHER_BIP_GMAC_256:
2725 return "BIP-GMAC-256";
2726 case WPA_CIPHER_BIP_CMAC_256:
2727 return "BIP-CMAC-256";
2728 case WPA_CIPHER_GTK_NOT_USED:
2729 return "GTK_NOT_USED";
2730 default:
2731 return "UNKNOWN";
2732 }
2733 }
2734
2735
2736 /**
2737 * wpa_key_mgmt_txt - Convert key management suite to a text string
2738 * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
2739 * @proto: WPA/WPA2 version (WPA_PROTO_*)
2740 * Returns: Pointer to a text string of the key management suite name
2741 */
wpa_key_mgmt_txt(int key_mgmt,int proto)2742 const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
2743 {
2744 switch (key_mgmt) {
2745 case WPA_KEY_MGMT_IEEE8021X:
2746 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
2747 return "WPA2+WPA/IEEE 802.1X/EAP";
2748 return proto == WPA_PROTO_RSN ?
2749 "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
2750 case WPA_KEY_MGMT_PSK:
2751 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
2752 return "WPA2-PSK+WPA-PSK";
2753 return proto == WPA_PROTO_RSN ?
2754 "WPA2-PSK" : "WPA-PSK";
2755 case WPA_KEY_MGMT_NONE:
2756 return "NONE";
2757 case WPA_KEY_MGMT_WPA_NONE:
2758 return "WPA-NONE";
2759 case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
2760 return "IEEE 802.1X (no WPA)";
2761 #ifdef CONFIG_IEEE80211R
2762 case WPA_KEY_MGMT_FT_IEEE8021X:
2763 return "FT-EAP";
2764 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2765 return "FT-EAP-SHA384";
2766 case WPA_KEY_MGMT_FT_PSK:
2767 return "FT-PSK";
2768 #endif /* CONFIG_IEEE80211R */
2769 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2770 return "WPA2-EAP-SHA256";
2771 case WPA_KEY_MGMT_PSK_SHA256:
2772 return "WPA2-PSK-SHA256";
2773 case WPA_KEY_MGMT_WPS:
2774 return "WPS";
2775 case WPA_KEY_MGMT_SAE:
2776 return "SAE";
2777 case WPA_KEY_MGMT_SAE_EXT_KEY:
2778 return "SAE-EXT-KEY";
2779 case WPA_KEY_MGMT_FT_SAE:
2780 return "FT-SAE";
2781 case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
2782 return "FT-SAE-EXT-KEY";
2783 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2784 return "WPA2-EAP-SUITE-B";
2785 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2786 return "WPA2-EAP-SUITE-B-192";
2787 case WPA_KEY_MGMT_FILS_SHA256:
2788 return "FILS-SHA256";
2789 case WPA_KEY_MGMT_FILS_SHA384:
2790 return "FILS-SHA384";
2791 case WPA_KEY_MGMT_FT_FILS_SHA256:
2792 return "FT-FILS-SHA256";
2793 case WPA_KEY_MGMT_FT_FILS_SHA384:
2794 return "FT-FILS-SHA384";
2795 case WPA_KEY_MGMT_OWE:
2796 return "OWE";
2797 case WPA_KEY_MGMT_DPP:
2798 return "DPP";
2799 case WPA_KEY_MGMT_PASN:
2800 return "PASN";
2801 case WPA_KEY_MGMT_IEEE8021X_SHA384:
2802 return "WPA2-EAP-SHA384";
2803 default:
2804 return "UNKNOWN";
2805 }
2806 }
2807
2808
wpa_akm_to_suite(int akm)2809 u32 wpa_akm_to_suite(int akm)
2810 {
2811 if (akm & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
2812 return RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384;
2813 if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
2814 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2815 if (akm & WPA_KEY_MGMT_FT_PSK)
2816 return RSN_AUTH_KEY_MGMT_FT_PSK;
2817 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA384)
2818 return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
2819 if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
2820 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2821 if (akm & WPA_KEY_MGMT_IEEE8021X)
2822 return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
2823 if (akm & WPA_KEY_MGMT_PSK_SHA256)
2824 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2825 if (akm & WPA_KEY_MGMT_PSK)
2826 return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
2827 if (akm & WPA_KEY_MGMT_CCKM)
2828 return RSN_AUTH_KEY_MGMT_CCKM;
2829 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
2830 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2831 if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
2832 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2833 if (akm & WPA_KEY_MGMT_FILS_SHA256)
2834 return RSN_AUTH_KEY_MGMT_FILS_SHA256;
2835 if (akm & WPA_KEY_MGMT_FILS_SHA384)
2836 return RSN_AUTH_KEY_MGMT_FILS_SHA384;
2837 if (akm & WPA_KEY_MGMT_FT_FILS_SHA256)
2838 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
2839 if (akm & WPA_KEY_MGMT_FT_FILS_SHA384)
2840 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
2841 if (akm & WPA_KEY_MGMT_SAE)
2842 return RSN_AUTH_KEY_MGMT_SAE;
2843 if (akm & WPA_KEY_MGMT_SAE_EXT_KEY)
2844 return RSN_AUTH_KEY_MGMT_SAE_EXT_KEY;
2845 if (akm & WPA_KEY_MGMT_FT_SAE)
2846 return RSN_AUTH_KEY_MGMT_FT_SAE;
2847 if (akm & WPA_KEY_MGMT_FT_SAE_EXT_KEY)
2848 return RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY;
2849 if (akm & WPA_KEY_MGMT_OWE)
2850 return RSN_AUTH_KEY_MGMT_OWE;
2851 if (akm & WPA_KEY_MGMT_DPP)
2852 return RSN_AUTH_KEY_MGMT_DPP;
2853 return 0;
2854 }
2855
2856
wpa_compare_rsn_ie(int ft_initial_assoc,const u8 * ie1,size_t ie1len,const u8 * ie2,size_t ie2len)2857 int wpa_compare_rsn_ie(int ft_initial_assoc,
2858 const u8 *ie1, size_t ie1len,
2859 const u8 *ie2, size_t ie2len)
2860 {
2861 if (ie1 == NULL || ie2 == NULL)
2862 return -1;
2863
2864 if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
2865 return 0; /* identical IEs */
2866
2867 #ifdef CONFIG_IEEE80211R
2868 if (ft_initial_assoc) {
2869 struct wpa_ie_data ie1d, ie2d;
2870 /*
2871 * The PMKID-List in RSN IE is different between Beacon/Probe
2872 * Response/(Re)Association Request frames and EAPOL-Key
2873 * messages in FT initial mobility domain association. Allow
2874 * for this, but verify that other parts of the RSN IEs are
2875 * identical.
2876 */
2877 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
2878 wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
2879 return -1;
2880 if (ie1d.proto == ie2d.proto &&
2881 ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
2882 ie1d.group_cipher == ie2d.group_cipher &&
2883 ie1d.key_mgmt == ie2d.key_mgmt &&
2884 ie1d.capabilities == ie2d.capabilities &&
2885 ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
2886 return 0;
2887 }
2888 #endif /* CONFIG_IEEE80211R */
2889
2890 return -1;
2891 }
2892
2893
wpa_insert_pmkid(u8 * ies,size_t * ies_len,const u8 * pmkid,bool replace)2894 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid, bool replace)
2895 {
2896 u8 *start, *end, *rpos, *rend;
2897 int added = 0;
2898
2899 start = ies;
2900 end = ies + *ies_len;
2901
2902 while (start < end) {
2903 if (*start == WLAN_EID_RSN)
2904 break;
2905 start += 2 + start[1];
2906 }
2907 if (start >= end) {
2908 wpa_printf(MSG_ERROR, "RSN: Could not find RSNE in IEs data");
2909 return -1;
2910 }
2911 wpa_hexdump(MSG_DEBUG, "RSN: RSNE before modification",
2912 start, 2 + start[1]);
2913
2914 /* Find start of PMKID-Count */
2915 rpos = start + 2;
2916 rend = rpos + start[1];
2917
2918 /* Skip Version and Group Data Cipher Suite */
2919 rpos += 2 + 4;
2920 /* Skip Pairwise Cipher Suite Count and List */
2921 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2922 /* Skip AKM Suite Count and List */
2923 rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2924
2925 if (rpos == rend) {
2926 /* Add RSN Capabilities */
2927 os_memmove(rpos + 2, rpos, end - rpos);
2928 *rpos++ = 0;
2929 *rpos++ = 0;
2930 added += 2;
2931 start[1] += 2;
2932 rend = rpos;
2933 } else {
2934 /* Skip RSN Capabilities */
2935 rpos += 2;
2936 if (rpos > rend) {
2937 wpa_printf(MSG_ERROR,
2938 "RSN: Could not parse RSNE in IEs data");
2939 return -1;
2940 }
2941 }
2942
2943 if (rpos == rend) {
2944 /* No PMKID-Count field included; add it */
2945 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
2946 WPA_PUT_LE16(rpos, 1);
2947 rpos += 2;
2948 os_memcpy(rpos, pmkid, PMKID_LEN);
2949 added += 2 + PMKID_LEN;
2950 start[1] += 2 + PMKID_LEN;
2951 } else {
2952 u16 num_pmkid;
2953
2954 if (rend - rpos < 2)
2955 return -1;
2956 num_pmkid = WPA_GET_LE16(rpos);
2957 if (num_pmkid * PMKID_LEN > rend - rpos - 2)
2958 return -1;
2959 /* PMKID-Count was included; use it */
2960 if (replace && num_pmkid != 0) {
2961 u8 *after;
2962
2963 /*
2964 * PMKID may have been included in RSN IE in
2965 * (Re)Association Request frame, so remove the old
2966 * PMKID(s) first before adding the new one.
2967 */
2968 wpa_printf(MSG_DEBUG,
2969 "RSN: Remove %u old PMKID(s) from RSNE",
2970 num_pmkid);
2971 after = rpos + 2 + num_pmkid * PMKID_LEN;
2972 os_memmove(rpos + 2, after, end - after);
2973 start[1] -= num_pmkid * PMKID_LEN;
2974 added -= num_pmkid * PMKID_LEN;
2975 num_pmkid = 0;
2976 }
2977 WPA_PUT_LE16(rpos, num_pmkid + 1);
2978 rpos += 2;
2979 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
2980 os_memcpy(rpos, pmkid, PMKID_LEN);
2981 added += PMKID_LEN;
2982 start[1] += PMKID_LEN;
2983 }
2984
2985 wpa_hexdump(MSG_DEBUG, "RSN: RSNE after modification (PMKID inserted)",
2986 start, 2 + start[1]);
2987
2988 *ies_len += added;
2989
2990 return 0;
2991 }
2992
2993
wpa_cipher_key_len(int cipher)2994 int wpa_cipher_key_len(int cipher)
2995 {
2996 switch (cipher) {
2997 case WPA_CIPHER_CCMP_256:
2998 case WPA_CIPHER_GCMP_256:
2999 case WPA_CIPHER_BIP_GMAC_256:
3000 case WPA_CIPHER_BIP_CMAC_256:
3001 return 32;
3002 case WPA_CIPHER_CCMP:
3003 case WPA_CIPHER_GCMP:
3004 case WPA_CIPHER_AES_128_CMAC:
3005 case WPA_CIPHER_BIP_GMAC_128:
3006 return 16;
3007 case WPA_CIPHER_TKIP:
3008 return 32;
3009 default:
3010 return 0;
3011 }
3012 }
3013
3014
wpa_cipher_rsc_len(int cipher)3015 int wpa_cipher_rsc_len(int cipher)
3016 {
3017 switch (cipher) {
3018 case WPA_CIPHER_CCMP_256:
3019 case WPA_CIPHER_GCMP_256:
3020 case WPA_CIPHER_CCMP:
3021 case WPA_CIPHER_GCMP:
3022 case WPA_CIPHER_TKIP:
3023 return 6;
3024 default:
3025 return 0;
3026 }
3027 }
3028
3029
wpa_cipher_to_alg(int cipher)3030 enum wpa_alg wpa_cipher_to_alg(int cipher)
3031 {
3032 switch (cipher) {
3033 case WPA_CIPHER_CCMP_256:
3034 return WPA_ALG_CCMP_256;
3035 case WPA_CIPHER_GCMP_256:
3036 return WPA_ALG_GCMP_256;
3037 case WPA_CIPHER_CCMP:
3038 return WPA_ALG_CCMP;
3039 case WPA_CIPHER_GCMP:
3040 return WPA_ALG_GCMP;
3041 case WPA_CIPHER_TKIP:
3042 return WPA_ALG_TKIP;
3043 case WPA_CIPHER_AES_128_CMAC:
3044 return WPA_ALG_BIP_CMAC_128;
3045 case WPA_CIPHER_BIP_GMAC_128:
3046 return WPA_ALG_BIP_GMAC_128;
3047 case WPA_CIPHER_BIP_GMAC_256:
3048 return WPA_ALG_BIP_GMAC_256;
3049 case WPA_CIPHER_BIP_CMAC_256:
3050 return WPA_ALG_BIP_CMAC_256;
3051 default:
3052 return WPA_ALG_NONE;
3053 }
3054 }
3055
3056
wpa_cipher_valid_pairwise(int cipher)3057 int wpa_cipher_valid_pairwise(int cipher)
3058 {
3059 #ifdef CONFIG_NO_TKIP
3060 return cipher == WPA_CIPHER_CCMP_256 ||
3061 cipher == WPA_CIPHER_GCMP_256 ||
3062 cipher == WPA_CIPHER_CCMP ||
3063 cipher == WPA_CIPHER_GCMP;
3064 #else /* CONFIG_NO_TKIP */
3065 return cipher == WPA_CIPHER_CCMP_256 ||
3066 cipher == WPA_CIPHER_GCMP_256 ||
3067 cipher == WPA_CIPHER_CCMP ||
3068 cipher == WPA_CIPHER_GCMP ||
3069 cipher == WPA_CIPHER_TKIP;
3070 #endif /* CONFIG_NO_TKIP */
3071 }
3072
3073
wpa_cipher_to_suite(int proto,int cipher)3074 u32 wpa_cipher_to_suite(int proto, int cipher)
3075 {
3076 if (cipher & WPA_CIPHER_CCMP_256)
3077 return RSN_CIPHER_SUITE_CCMP_256;
3078 if (cipher & WPA_CIPHER_GCMP_256)
3079 return RSN_CIPHER_SUITE_GCMP_256;
3080 if (cipher & WPA_CIPHER_CCMP)
3081 return (proto == WPA_PROTO_RSN ?
3082 RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
3083 if (cipher & WPA_CIPHER_GCMP)
3084 return RSN_CIPHER_SUITE_GCMP;
3085 if (cipher & WPA_CIPHER_TKIP)
3086 return (proto == WPA_PROTO_RSN ?
3087 RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
3088 if (cipher & WPA_CIPHER_NONE)
3089 return (proto == WPA_PROTO_RSN ?
3090 RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
3091 if (cipher & WPA_CIPHER_GTK_NOT_USED)
3092 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED;
3093 if (cipher & WPA_CIPHER_AES_128_CMAC)
3094 return RSN_CIPHER_SUITE_AES_128_CMAC;
3095 if (cipher & WPA_CIPHER_BIP_GMAC_128)
3096 return RSN_CIPHER_SUITE_BIP_GMAC_128;
3097 if (cipher & WPA_CIPHER_BIP_GMAC_256)
3098 return RSN_CIPHER_SUITE_BIP_GMAC_256;
3099 if (cipher & WPA_CIPHER_BIP_CMAC_256)
3100 return RSN_CIPHER_SUITE_BIP_CMAC_256;
3101 return 0;
3102 }
3103
3104
rsn_cipher_put_suites(u8 * start,int ciphers)3105 int rsn_cipher_put_suites(u8 *start, int ciphers)
3106 {
3107 u8 *pos = start;
3108
3109 if (ciphers & WPA_CIPHER_CCMP_256) {
3110 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
3111 pos += RSN_SELECTOR_LEN;
3112 }
3113 if (ciphers & WPA_CIPHER_GCMP_256) {
3114 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
3115 pos += RSN_SELECTOR_LEN;
3116 }
3117 if (ciphers & WPA_CIPHER_CCMP) {
3118 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
3119 pos += RSN_SELECTOR_LEN;
3120 }
3121 if (ciphers & WPA_CIPHER_GCMP) {
3122 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
3123 pos += RSN_SELECTOR_LEN;
3124 }
3125 if (ciphers & WPA_CIPHER_TKIP) {
3126 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
3127 pos += RSN_SELECTOR_LEN;
3128 }
3129 if (ciphers & WPA_CIPHER_NONE) {
3130 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
3131 pos += RSN_SELECTOR_LEN;
3132 }
3133
3134 return (pos - start) / RSN_SELECTOR_LEN;
3135 }
3136
3137
wpa_cipher_put_suites(u8 * start,int ciphers)3138 int wpa_cipher_put_suites(u8 *start, int ciphers)
3139 {
3140 u8 *pos = start;
3141
3142 if (ciphers & WPA_CIPHER_CCMP) {
3143 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
3144 pos += WPA_SELECTOR_LEN;
3145 }
3146 if (ciphers & WPA_CIPHER_TKIP) {
3147 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
3148 pos += WPA_SELECTOR_LEN;
3149 }
3150 if (ciphers & WPA_CIPHER_NONE) {
3151 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
3152 pos += WPA_SELECTOR_LEN;
3153 }
3154
3155 return (pos - start) / RSN_SELECTOR_LEN;
3156 }
3157
3158
wpa_pick_pairwise_cipher(int ciphers,int none_allowed)3159 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
3160 {
3161 if (ciphers & WPA_CIPHER_CCMP_256)
3162 return WPA_CIPHER_CCMP_256;
3163 if (ciphers & WPA_CIPHER_GCMP_256)
3164 return WPA_CIPHER_GCMP_256;
3165 if (ciphers & WPA_CIPHER_CCMP)
3166 return WPA_CIPHER_CCMP;
3167 if (ciphers & WPA_CIPHER_GCMP)
3168 return WPA_CIPHER_GCMP;
3169 if (ciphers & WPA_CIPHER_TKIP)
3170 return WPA_CIPHER_TKIP;
3171 if (none_allowed && (ciphers & WPA_CIPHER_NONE))
3172 return WPA_CIPHER_NONE;
3173 return -1;
3174 }
3175
3176
wpa_pick_group_cipher(int ciphers)3177 int wpa_pick_group_cipher(int ciphers)
3178 {
3179 if (ciphers & WPA_CIPHER_CCMP_256)
3180 return WPA_CIPHER_CCMP_256;
3181 if (ciphers & WPA_CIPHER_GCMP_256)
3182 return WPA_CIPHER_GCMP_256;
3183 if (ciphers & WPA_CIPHER_CCMP)
3184 return WPA_CIPHER_CCMP;
3185 if (ciphers & WPA_CIPHER_GCMP)
3186 return WPA_CIPHER_GCMP;
3187 if (ciphers & WPA_CIPHER_GTK_NOT_USED)
3188 return WPA_CIPHER_GTK_NOT_USED;
3189 if (ciphers & WPA_CIPHER_TKIP)
3190 return WPA_CIPHER_TKIP;
3191 return -1;
3192 }
3193
3194
wpa_parse_cipher(const char * value)3195 int wpa_parse_cipher(const char *value)
3196 {
3197 int val = 0, last;
3198 char *start, *end, *buf;
3199
3200 buf = os_strdup(value);
3201 if (buf == NULL)
3202 return -1;
3203 start = buf;
3204
3205 while (*start != '\0') {
3206 while (*start == ' ' || *start == '\t')
3207 start++;
3208 if (*start == '\0')
3209 break;
3210 end = start;
3211 while (*end != ' ' && *end != '\t' && *end != '\0')
3212 end++;
3213 last = *end == '\0';
3214 *end = '\0';
3215 if (os_strcmp(start, "CCMP-256") == 0)
3216 val |= WPA_CIPHER_CCMP_256;
3217 else if (os_strcmp(start, "GCMP-256") == 0)
3218 val |= WPA_CIPHER_GCMP_256;
3219 else if (os_strcmp(start, "CCMP") == 0)
3220 val |= WPA_CIPHER_CCMP;
3221 else if (os_strcmp(start, "GCMP") == 0)
3222 val |= WPA_CIPHER_GCMP;
3223 #ifndef CONFIG_NO_TKIP
3224 else if (os_strcmp(start, "TKIP") == 0)
3225 val |= WPA_CIPHER_TKIP;
3226 #endif /* CONFIG_NO_TKIP */
3227 #ifdef CONFIG_WEP
3228 else if (os_strcmp(start, "WEP104") == 0)
3229 val |= WPA_CIPHER_WEP104;
3230 else if (os_strcmp(start, "WEP40") == 0)
3231 val |= WPA_CIPHER_WEP40;
3232 #endif /* CONFIG_WEP */
3233 else if (os_strcmp(start, "NONE") == 0)
3234 val |= WPA_CIPHER_NONE;
3235 else if (os_strcmp(start, "GTK_NOT_USED") == 0)
3236 val |= WPA_CIPHER_GTK_NOT_USED;
3237 else if (os_strcmp(start, "AES-128-CMAC") == 0)
3238 val |= WPA_CIPHER_AES_128_CMAC;
3239 else if (os_strcmp(start, "BIP-GMAC-128") == 0)
3240 val |= WPA_CIPHER_BIP_GMAC_128;
3241 else if (os_strcmp(start, "BIP-GMAC-256") == 0)
3242 val |= WPA_CIPHER_BIP_GMAC_256;
3243 else if (os_strcmp(start, "BIP-CMAC-256") == 0)
3244 val |= WPA_CIPHER_BIP_CMAC_256;
3245 else {
3246 os_free(buf);
3247 return -1;
3248 }
3249
3250 if (last)
3251 break;
3252 start = end + 1;
3253 }
3254 os_free(buf);
3255
3256 return val;
3257 }
3258
3259
wpa_write_ciphers(char * start,char * end,int ciphers,const char * delim)3260 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
3261 {
3262 char *pos = start;
3263 int ret;
3264
3265 if (ciphers & WPA_CIPHER_CCMP_256) {
3266 ret = os_snprintf(pos, end - pos, "%sCCMP-256",
3267 pos == start ? "" : delim);
3268 if (os_snprintf_error(end - pos, ret))
3269 return -1;
3270 pos += ret;
3271 }
3272 if (ciphers & WPA_CIPHER_GCMP_256) {
3273 ret = os_snprintf(pos, end - pos, "%sGCMP-256",
3274 pos == start ? "" : delim);
3275 if (os_snprintf_error(end - pos, ret))
3276 return -1;
3277 pos += ret;
3278 }
3279 if (ciphers & WPA_CIPHER_CCMP) {
3280 ret = os_snprintf(pos, end - pos, "%sCCMP",
3281 pos == start ? "" : delim);
3282 if (os_snprintf_error(end - pos, ret))
3283 return -1;
3284 pos += ret;
3285 }
3286 if (ciphers & WPA_CIPHER_GCMP) {
3287 ret = os_snprintf(pos, end - pos, "%sGCMP",
3288 pos == start ? "" : delim);
3289 if (os_snprintf_error(end - pos, ret))
3290 return -1;
3291 pos += ret;
3292 }
3293 if (ciphers & WPA_CIPHER_TKIP) {
3294 ret = os_snprintf(pos, end - pos, "%sTKIP",
3295 pos == start ? "" : delim);
3296 if (os_snprintf_error(end - pos, ret))
3297 return -1;
3298 pos += ret;
3299 }
3300 if (ciphers & WPA_CIPHER_AES_128_CMAC) {
3301 ret = os_snprintf(pos, end - pos, "%sAES-128-CMAC",
3302 pos == start ? "" : delim);
3303 if (os_snprintf_error(end - pos, ret))
3304 return -1;
3305 pos += ret;
3306 }
3307 if (ciphers & WPA_CIPHER_BIP_GMAC_128) {
3308 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-128",
3309 pos == start ? "" : delim);
3310 if (os_snprintf_error(end - pos, ret))
3311 return -1;
3312 pos += ret;
3313 }
3314 if (ciphers & WPA_CIPHER_BIP_GMAC_256) {
3315 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-256",
3316 pos == start ? "" : delim);
3317 if (os_snprintf_error(end - pos, ret))
3318 return -1;
3319 pos += ret;
3320 }
3321 if (ciphers & WPA_CIPHER_BIP_CMAC_256) {
3322 ret = os_snprintf(pos, end - pos, "%sBIP-CMAC-256",
3323 pos == start ? "" : delim);
3324 if (os_snprintf_error(end - pos, ret))
3325 return -1;
3326 pos += ret;
3327 }
3328 if (ciphers & WPA_CIPHER_NONE) {
3329 ret = os_snprintf(pos, end - pos, "%sNONE",
3330 pos == start ? "" : delim);
3331 if (os_snprintf_error(end - pos, ret))
3332 return -1;
3333 pos += ret;
3334 }
3335
3336 return pos - start;
3337 }
3338
3339
wpa_select_ap_group_cipher(int wpa,int wpa_pairwise,int rsn_pairwise)3340 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise)
3341 {
3342 int pairwise = 0;
3343
3344 /* Select group cipher based on the enabled pairwise cipher suites */
3345 if (wpa & 1)
3346 pairwise |= wpa_pairwise;
3347 if (wpa & 2)
3348 pairwise |= rsn_pairwise;
3349
3350 if (pairwise & WPA_CIPHER_TKIP)
3351 return WPA_CIPHER_TKIP;
3352 if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP)
3353 return WPA_CIPHER_GCMP;
3354 if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP |
3355 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256)
3356 return WPA_CIPHER_GCMP_256;
3357 if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
3358 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256)
3359 return WPA_CIPHER_CCMP_256;
3360 return WPA_CIPHER_CCMP;
3361 }
3362
3363
3364 #ifdef CONFIG_FILS
fils_domain_name_hash(const char * domain,u8 * hash)3365 int fils_domain_name_hash(const char *domain, u8 *hash)
3366 {
3367 char buf[255], *wpos = buf;
3368 const char *pos = domain;
3369 size_t len;
3370 const u8 *addr[1];
3371 u8 mac[SHA256_MAC_LEN];
3372
3373 for (len = 0; len < sizeof(buf) && *pos; len++) {
3374 if (isalpha(*pos) && isupper(*pos))
3375 *wpos++ = tolower(*pos);
3376 else
3377 *wpos++ = *pos;
3378 pos++;
3379 }
3380
3381 addr[0] = (const u8 *) buf;
3382 if (sha256_vector(1, addr, &len, mac) < 0)
3383 return -1;
3384 os_memcpy(hash, mac, 2);
3385 return 0;
3386 }
3387 #endif /* CONFIG_FILS */
3388
3389
3390 /**
3391 * wpa_parse_vendor_specific - Parse Vendor Specific IEs
3392 * @pos: Pointer to the IE header
3393 * @end: Pointer to the end of the Key Data buffer
3394 * @ie: Pointer to parsed IE data
3395 */
wpa_parse_vendor_specific(const u8 * pos,const u8 * end,struct wpa_eapol_ie_parse * ie)3396 static void wpa_parse_vendor_specific(const u8 *pos, const u8 *end,
3397 struct wpa_eapol_ie_parse *ie)
3398 {
3399 unsigned int oui;
3400
3401 if (pos[1] < 4) {
3402 wpa_printf(MSG_MSGDUMP,
3403 "Too short vendor specific IE ignored (len=%u)",
3404 pos[1]);
3405 return;
3406 }
3407
3408 oui = WPA_GET_BE24(&pos[2]);
3409 if (oui == OUI_MICROSOFT && pos[5] == WMM_OUI_TYPE && pos[1] > 4) {
3410 if (pos[6] == WMM_OUI_SUBTYPE_INFORMATION_ELEMENT) {
3411 ie->wmm = &pos[2];
3412 ie->wmm_len = pos[1];
3413 wpa_hexdump(MSG_DEBUG, "WPA: WMM IE",
3414 ie->wmm, ie->wmm_len);
3415 } else if (pos[6] == WMM_OUI_SUBTYPE_PARAMETER_ELEMENT) {
3416 ie->wmm = &pos[2];
3417 ie->wmm_len = pos[1];
3418 wpa_hexdump(MSG_DEBUG, "WPA: WMM Parameter Element",
3419 ie->wmm, ie->wmm_len);
3420 }
3421 }
3422 }
3423
3424
3425 /**
3426 * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
3427 * @pos: Pointer to the IE header
3428 * @ie: Pointer to parsed IE data
3429 * Returns: 0 on success, 1 if end mark is found, 2 if KDE is not recognized
3430 */
wpa_parse_generic(const u8 * pos,struct wpa_eapol_ie_parse * ie)3431 static int wpa_parse_generic(const u8 *pos, struct wpa_eapol_ie_parse *ie)
3432 {
3433 u8 len = pos[1];
3434 size_t dlen = 2 + len;
3435 u32 selector;
3436 const u8 *p;
3437 size_t left;
3438 u8 link_id;
3439 char title[100];
3440 int ret;
3441
3442 if (len == 0)
3443 return 1;
3444
3445 if (len < RSN_SELECTOR_LEN)
3446 return 2;
3447
3448 p = pos + 2;
3449 selector = RSN_SELECTOR_GET(p);
3450 p += RSN_SELECTOR_LEN;
3451 left = len - RSN_SELECTOR_LEN;
3452
3453 if (left >= 2 && selector == WPA_OUI_TYPE && p[0] == 1 && p[1] == 0) {
3454 ie->wpa_ie = pos;
3455 ie->wpa_ie_len = dlen;
3456 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE in EAPOL-Key",
3457 ie->wpa_ie, ie->wpa_ie_len);
3458 return 0;
3459 }
3460
3461 if (left >= PMKID_LEN && selector == RSN_KEY_DATA_PMKID) {
3462 ie->pmkid = p;
3463 wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key", pos, dlen);
3464 return 0;
3465 }
3466
3467 if (left >= 2 && selector == RSN_KEY_DATA_KEYID) {
3468 ie->key_id = p;
3469 wpa_hexdump(MSG_DEBUG, "WPA: KeyID in EAPOL-Key", pos, dlen);
3470 return 0;
3471 }
3472
3473 if (left > 2 && selector == RSN_KEY_DATA_GROUPKEY) {
3474 ie->gtk = p;
3475 ie->gtk_len = left;
3476 wpa_hexdump_key(MSG_DEBUG, "WPA: GTK in EAPOL-Key", pos, dlen);
3477 return 0;
3478 }
3479
3480 if (left >= ETH_ALEN && selector == RSN_KEY_DATA_MAC_ADDR) {
3481 ie->mac_addr = p;
3482 wpa_printf(MSG_DEBUG, "WPA: MAC Address in EAPOL-Key: " MACSTR,
3483 MAC2STR(ie->mac_addr));
3484 return 0;
3485 }
3486
3487 if (left > 2 && selector == RSN_KEY_DATA_IGTK) {
3488 ie->igtk = p;
3489 ie->igtk_len = left;
3490 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK in EAPOL-Key",
3491 pos, dlen);
3492 return 0;
3493 }
3494
3495 if (left > 2 && selector == RSN_KEY_DATA_BIGTK) {
3496 ie->bigtk = p;
3497 ie->bigtk_len = left;
3498 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK in EAPOL-Key",
3499 pos, dlen);
3500 return 0;
3501 }
3502
3503 if (left >= 1 && selector == WFA_KEY_DATA_IP_ADDR_REQ) {
3504 ie->ip_addr_req = p;
3505 wpa_hexdump(MSG_DEBUG, "WPA: IP Address Request in EAPOL-Key",
3506 ie->ip_addr_req, left);
3507 return 0;
3508 }
3509
3510 if (left >= 3 * 4 && selector == WFA_KEY_DATA_IP_ADDR_ALLOC) {
3511 ie->ip_addr_alloc = p;
3512 wpa_hexdump(MSG_DEBUG,
3513 "WPA: IP Address Allocation in EAPOL-Key",
3514 ie->ip_addr_alloc, left);
3515 return 0;
3516 }
3517
3518 if (left > 2 && selector == RSN_KEY_DATA_OCI) {
3519 ie->oci = p;
3520 ie->oci_len = left;
3521 wpa_hexdump(MSG_DEBUG, "WPA: OCI KDE in EAPOL-Key",
3522 pos, dlen);
3523 return 0;
3524 }
3525
3526 if (left >= 1 && selector == WFA_KEY_DATA_TRANSITION_DISABLE) {
3527 ie->transition_disable = p;
3528 ie->transition_disable_len = left;
3529 wpa_hexdump(MSG_DEBUG,
3530 "WPA: Transition Disable KDE in EAPOL-Key",
3531 pos, dlen);
3532 return 0;
3533 }
3534
3535 if (left >= 2 && selector == WFA_KEY_DATA_DPP) {
3536 ie->dpp_kde = p;
3537 ie->dpp_kde_len = left;
3538 wpa_hexdump(MSG_DEBUG, "WPA: DPP KDE in EAPOL-Key", pos, dlen);
3539 return 0;
3540 }
3541
3542 if (left >= RSN_MLO_GTK_KDE_PREFIX_LENGTH &&
3543 selector == RSN_KEY_DATA_MLO_GTK) {
3544 link_id = (p[0] & RSN_MLO_GTK_KDE_PREFIX0_LINK_ID_MASK) >>
3545 RSN_MLO_GTK_KDE_PREFIX0_LINK_ID_SHIFT;
3546 if (link_id >= MAX_NUM_MLD_LINKS)
3547 return 2;
3548
3549 ie->valid_mlo_gtks |= BIT(link_id);
3550 ie->mlo_gtk[link_id] = p;
3551 ie->mlo_gtk_len[link_id] = left;
3552 ret = os_snprintf(title, sizeof(title),
3553 "RSN: Link ID %u - MLO GTK KDE in EAPOL-Key",
3554 link_id);
3555 if (!os_snprintf_error(sizeof(title), ret))
3556 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen);
3557 return 0;
3558 }
3559
3560 if (left >= RSN_MLO_IGTK_KDE_PREFIX_LENGTH &&
3561 selector == RSN_KEY_DATA_MLO_IGTK) {
3562 link_id = (p[8] & RSN_MLO_IGTK_KDE_PREFIX8_LINK_ID_MASK) >>
3563 RSN_MLO_IGTK_KDE_PREFIX8_LINK_ID_SHIFT;
3564 if (link_id >= MAX_NUM_MLD_LINKS)
3565 return 2;
3566
3567 ie->valid_mlo_igtks |= BIT(link_id);
3568 ie->mlo_igtk[link_id] = p;
3569 ie->mlo_igtk_len[link_id] = left;
3570 ret = os_snprintf(title, sizeof(title),
3571 "RSN: Link ID %u - MLO IGTK KDE in EAPOL-Key",
3572 link_id);
3573 if (!os_snprintf_error(sizeof(title), ret))
3574 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen);
3575 return 0;
3576 }
3577
3578 if (left >= RSN_MLO_BIGTK_KDE_PREFIX_LENGTH &&
3579 selector == RSN_KEY_DATA_MLO_BIGTK) {
3580 link_id = (p[8] & RSN_MLO_BIGTK_KDE_PREFIX8_LINK_ID_MASK) >>
3581 RSN_MLO_BIGTK_KDE_PREFIX8_LINK_ID_SHIFT;
3582 if (link_id >= MAX_NUM_MLD_LINKS)
3583 return 2;
3584
3585 ie->valid_mlo_bigtks |= BIT(link_id);
3586 ie->mlo_bigtk[link_id] = p;
3587 ie->mlo_bigtk_len[link_id] = left;
3588 ret = os_snprintf(title, sizeof(title),
3589 "RSN: Link ID %u - MLO BIGTK KDE in EAPOL-Key",
3590 link_id);
3591 if (!os_snprintf_error(sizeof(title), ret))
3592 wpa_hexdump_key(MSG_DEBUG, title, pos, dlen);
3593 return 0;
3594 }
3595
3596 if (left >= RSN_MLO_LINK_KDE_FIXED_LENGTH &&
3597 selector == RSN_KEY_DATA_MLO_LINK) {
3598 link_id = (p[0] & RSN_MLO_LINK_KDE_LI_LINK_ID_MASK) >>
3599 RSN_MLO_LINK_KDE_LI_LINK_ID_SHIFT;
3600 if (link_id >= MAX_NUM_MLD_LINKS)
3601 return 2;
3602
3603 ie->valid_mlo_links |= BIT(link_id);
3604 ie->mlo_link[link_id] = p;
3605 ie->mlo_link_len[link_id] = left;
3606 ret = os_snprintf(title, sizeof(title),
3607 "RSN: Link ID %u - MLO Link KDE in EAPOL-Key",
3608 link_id);
3609 if (!os_snprintf_error(sizeof(title), ret))
3610 wpa_hexdump(MSG_DEBUG, title, pos, dlen);
3611 return 0;
3612 }
3613
3614 if (left >= 1 && selector == WFA_KEY_DATA_RSN_OVERRIDE_LINK) {
3615 link_id = p[0];
3616 if (link_id >= MAX_NUM_MLD_LINKS)
3617 return 2;
3618
3619 ie->rsn_override_link[link_id] = p;
3620 ie->rsn_override_link_len[link_id] = left;
3621 ret = os_snprintf(title, sizeof(title),
3622 "RSN: Link ID %u - RSN Override Link KDE in EAPOL-Key",
3623 link_id);
3624 if (!os_snprintf_error(sizeof(title), ret))
3625 wpa_hexdump(MSG_DEBUG, title, pos, dlen);
3626 return 0;
3627 }
3628
3629 if (selector == RSNE_OVERRIDE_IE_VENDOR_TYPE) {
3630 ie->rsne_override = pos;
3631 ie->rsne_override_len = dlen;
3632 wpa_hexdump(MSG_DEBUG,
3633 "RSN: RSNE Override element in EAPOL-Key",
3634 ie->rsne_override, ie->rsne_override_len);
3635 return 0;
3636 }
3637
3638 if (selector == RSNE_OVERRIDE_2_IE_VENDOR_TYPE) {
3639 ie->rsne_override_2 = pos;
3640 ie->rsne_override_2_len = dlen;
3641 wpa_hexdump(MSG_DEBUG,
3642 "RSN: RSNE Override 2 element in EAPOL-Key",
3643 ie->rsne_override_2, ie->rsne_override_2_len);
3644 return 0;
3645 }
3646
3647 if (selector == RSNXE_OVERRIDE_IE_VENDOR_TYPE) {
3648 ie->rsnxe_override = pos;
3649 ie->rsnxe_override_len = dlen;
3650 wpa_hexdump(MSG_DEBUG,
3651 "RSN: RSNXE Override element in EAPOL-Key",
3652 ie->rsnxe_override, ie->rsnxe_override_len);
3653 return 0;
3654 }
3655
3656 if (selector == RSN_SELECTION_IE_VENDOR_TYPE) {
3657 ie->rsn_selection = p;
3658 ie->rsn_selection_len = left;
3659 wpa_hexdump(MSG_DEBUG,
3660 "RSN: RSN Selection element in EAPOL-Key",
3661 ie->rsn_selection, ie->rsn_selection_len);
3662 return 0;
3663 }
3664
3665 return 2;
3666 }
3667
3668
3669 /**
3670 * wpa_parse_kde_ies - Parse EAPOL-Key Key Data IEs
3671 * @buf: Pointer to the Key Data buffer
3672 * @len: Key Data Length
3673 * @ie: Pointer to parsed IE data
3674 * Returns: 0 on success, -1 on failure
3675 */
wpa_parse_kde_ies(const u8 * buf,size_t len,struct wpa_eapol_ie_parse * ie)3676 int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie)
3677 {
3678 const u8 *pos, *end;
3679 int ret = 0;
3680 size_t dlen = 0;
3681
3682 os_memset(ie, 0, sizeof(*ie));
3683 for (pos = buf, end = pos + len; end - pos > 1; pos += dlen) {
3684 if (pos[0] == 0xdd &&
3685 ((pos == buf + len - 1) || pos[1] == 0)) {
3686 /* Ignore padding */
3687 break;
3688 }
3689 dlen = 2 + pos[1];
3690 if ((int) dlen > end - pos) {
3691 wpa_printf(MSG_DEBUG,
3692 "WPA: EAPOL-Key Key Data underflow (ie=%d len=%d pos=%d)",
3693 pos[0], pos[1], (int) (pos - buf));
3694 wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data", buf, len);
3695 ret = -1;
3696 break;
3697 }
3698 if (*pos == WLAN_EID_RSN) {
3699 ie->rsn_ie = pos;
3700 ie->rsn_ie_len = dlen;
3701 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
3702 ie->rsn_ie, ie->rsn_ie_len);
3703 } else if (*pos == WLAN_EID_RSNX) {
3704 ie->rsnxe = pos;
3705 ie->rsnxe_len = dlen;
3706 wpa_hexdump(MSG_DEBUG, "WPA: RSNXE in EAPOL-Key",
3707 ie->rsnxe, ie->rsnxe_len);
3708 } else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
3709 ie->mdie = pos;
3710 ie->mdie_len = dlen;
3711 wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
3712 ie->mdie, ie->mdie_len);
3713 } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
3714 ie->ftie = pos;
3715 ie->ftie_len = dlen;
3716 wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
3717 ie->ftie, ie->ftie_len);
3718 } else if (*pos == WLAN_EID_TIMEOUT_INTERVAL && pos[1] >= 5) {
3719 if (pos[2] == WLAN_TIMEOUT_REASSOC_DEADLINE) {
3720 ie->reassoc_deadline = pos;
3721 wpa_hexdump(MSG_DEBUG, "WPA: Reassoc Deadline "
3722 "in EAPOL-Key",
3723 ie->reassoc_deadline, dlen);
3724 } else if (pos[2] == WLAN_TIMEOUT_KEY_LIFETIME) {
3725 ie->key_lifetime = pos;
3726 wpa_hexdump(MSG_DEBUG, "WPA: KeyLifetime "
3727 "in EAPOL-Key",
3728 ie->key_lifetime, dlen);
3729 } else {
3730 wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized "
3731 "EAPOL-Key Key Data IE",
3732 pos, dlen);
3733 }
3734 } else if (*pos == WLAN_EID_LINK_ID) {
3735 if (pos[1] >= 18) {
3736 ie->lnkid = pos;
3737 ie->lnkid_len = dlen;
3738 }
3739 } else if (*pos == WLAN_EID_EXT_CAPAB) {
3740 ie->ext_capab = pos;
3741 ie->ext_capab_len = dlen;
3742 } else if (*pos == WLAN_EID_SUPP_RATES) {
3743 ie->supp_rates = pos;
3744 ie->supp_rates_len = dlen;
3745 } else if (*pos == WLAN_EID_EXT_SUPP_RATES) {
3746 ie->ext_supp_rates = pos;
3747 ie->ext_supp_rates_len = dlen;
3748 } else if (*pos == WLAN_EID_HT_CAP &&
3749 pos[1] >= sizeof(struct ieee80211_ht_capabilities)) {
3750 ie->ht_capabilities = pos + 2;
3751 } else if (*pos == WLAN_EID_AID) {
3752 if (pos[1] >= 2)
3753 ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;
3754 } else if (*pos == WLAN_EID_VHT_CAP &&
3755 pos[1] >= sizeof(struct ieee80211_vht_capabilities))
3756 {
3757 ie->vht_capabilities = pos + 2;
3758 } else if (*pos == WLAN_EID_EXTENSION &&
3759 pos[1] >= 1 + IEEE80211_HE_CAPAB_MIN_LEN &&
3760 pos[2] == WLAN_EID_EXT_HE_CAPABILITIES) {
3761 ie->he_capabilities = pos + 3;
3762 ie->he_capab_len = pos[1] - 1;
3763 } else if (*pos == WLAN_EID_EXTENSION &&
3764 pos[1] >= 1 +
3765 sizeof(struct ieee80211_he_6ghz_band_cap) &&
3766 pos[2] == WLAN_EID_EXT_HE_6GHZ_BAND_CAP) {
3767 ie->he_6ghz_capabilities = pos + 3;
3768 } else if (*pos == WLAN_EID_EXTENSION &&
3769 pos[1] >= 1 + IEEE80211_EHT_CAPAB_MIN_LEN &&
3770 pos[2] == WLAN_EID_EXT_EHT_CAPABILITIES) {
3771 ie->eht_capabilities = pos + 3;
3772 ie->eht_capab_len = pos[1] - 1;
3773 } else if (*pos == WLAN_EID_QOS && pos[1] >= 1) {
3774 ie->qosinfo = pos[2];
3775 } else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) {
3776 ie->supp_channels = pos + 2;
3777 ie->supp_channels_len = pos[1];
3778 } else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
3779 /*
3780 * The value of the Length field of the Supported
3781 * Operating Classes element is between 2 and 253.
3782 * Silently skip invalid elements to avoid interop
3783 * issues when trying to use the value.
3784 */
3785 if (pos[1] >= 2 && pos[1] <= 253) {
3786 ie->supp_oper_classes = pos + 2;
3787 ie->supp_oper_classes_len = pos[1];
3788 }
3789 } else if (*pos == WLAN_EID_SSID) {
3790 ie->ssid = pos + 2;
3791 ie->ssid_len = pos[1];
3792 wpa_hexdump_ascii(MSG_DEBUG, "RSN: SSID in EAPOL-Key",
3793 ie->ssid, ie->ssid_len);
3794 } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
3795 ret = wpa_parse_generic(pos, ie);
3796 if (ret == 1) {
3797 /* end mark found */
3798 ret = 0;
3799 break;
3800 }
3801
3802 if (ret == 2) {
3803 /* not a known KDE */
3804 wpa_parse_vendor_specific(pos, end, ie);
3805 }
3806
3807 ret = 0;
3808 } else {
3809 wpa_hexdump(MSG_DEBUG,
3810 "WPA: Unrecognized EAPOL-Key Key Data IE",
3811 pos, dlen);
3812 }
3813 }
3814
3815 return ret;
3816 }
3817
3818
3819 #ifdef CONFIG_PASN
3820
3821 /*
3822 * wpa_pasn_build_auth_header - Add the MAC header and initialize Authentication
3823 * frame for PASN
3824 *
3825 * @buf: Buffer in which the header will be added
3826 * @bssid: The BSSID of the AP
3827 * @src: Source address
3828 * @dst: Destination address
3829 * @trans_seq: Authentication transaction sequence number
3830 * @status: Authentication status
3831 */
wpa_pasn_build_auth_header(struct wpabuf * buf,const u8 * bssid,const u8 * src,const u8 * dst,u8 trans_seq,u16 status)3832 void wpa_pasn_build_auth_header(struct wpabuf *buf, const u8 *bssid,
3833 const u8 *src, const u8 *dst,
3834 u8 trans_seq, u16 status)
3835 {
3836 struct ieee80211_mgmt *auth;
3837
3838 wpa_printf(MSG_DEBUG, "PASN: Add authentication header. trans_seq=%u",
3839 trans_seq);
3840
3841 auth = wpabuf_put(buf, offsetof(struct ieee80211_mgmt,
3842 u.auth.variable));
3843
3844 auth->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
3845 (WLAN_FC_STYPE_AUTH << 4));
3846
3847 os_memcpy(auth->da, dst, ETH_ALEN);
3848 os_memcpy(auth->sa, src, ETH_ALEN);
3849 os_memcpy(auth->bssid, bssid, ETH_ALEN);
3850 auth->seq_ctrl = 0;
3851
3852 auth->u.auth.auth_alg = host_to_le16(WLAN_AUTH_PASN);
3853 auth->u.auth.auth_transaction = host_to_le16(trans_seq);
3854 auth->u.auth.status_code = host_to_le16(status);
3855 }
3856
3857
3858 /*
3859 * wpa_pasn_add_rsne - Add an RSNE for PASN authentication
3860 * @buf: Buffer in which the IE will be added
3861 * @pmkid: Optional PMKID. Can be NULL.
3862 * @akmp: Authentication and key management protocol
3863 * @cipher: The cipher suite
3864 */
wpa_pasn_add_rsne(struct wpabuf * buf,const u8 * pmkid,int akmp,int cipher)3865 int wpa_pasn_add_rsne(struct wpabuf *buf, const u8 *pmkid, int akmp, int cipher)
3866 {
3867 struct rsn_ie_hdr *hdr;
3868 u32 suite;
3869 u16 capab;
3870 u8 *pos;
3871 u8 rsne_len;
3872
3873 wpa_printf(MSG_DEBUG, "PASN: Add RSNE");
3874
3875 rsne_len = sizeof(*hdr) + RSN_SELECTOR_LEN +
3876 2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN +
3877 2 + RSN_SELECTOR_LEN + 2 + (pmkid ? PMKID_LEN : 0);
3878
3879 if (wpabuf_tailroom(buf) < rsne_len)
3880 return -1;
3881 hdr = wpabuf_put(buf, rsne_len);
3882 hdr->elem_id = WLAN_EID_RSN;
3883 hdr->len = rsne_len - 2;
3884 WPA_PUT_LE16(hdr->version, RSN_VERSION);
3885 pos = (u8 *) (hdr + 1);
3886
3887 /* Group addressed data is not allowed */
3888 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
3889 pos += RSN_SELECTOR_LEN;
3890
3891 /* Add the pairwise cipher */
3892 WPA_PUT_LE16(pos, 1);
3893 pos += 2;
3894 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, cipher);
3895 RSN_SELECTOR_PUT(pos, suite);
3896 pos += RSN_SELECTOR_LEN;
3897
3898 /* Add the AKM suite */
3899 WPA_PUT_LE16(pos, 1);
3900 pos += 2;
3901
3902 switch (akmp) {
3903 case WPA_KEY_MGMT_PASN:
3904 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PASN);
3905 break;
3906 #ifdef CONFIG_SAE
3907 case WPA_KEY_MGMT_SAE:
3908 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE);
3909 break;
3910 case WPA_KEY_MGMT_SAE_EXT_KEY:
3911 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY);
3912 break;
3913 #endif /* CONFIG_SAE */
3914 #ifdef CONFIG_FILS
3915 case WPA_KEY_MGMT_FILS_SHA256:
3916 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA256);
3917 break;
3918 case WPA_KEY_MGMT_FILS_SHA384:
3919 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA384);
3920 break;
3921 #endif /* CONFIG_FILS */
3922 #ifdef CONFIG_IEEE80211R
3923 case WPA_KEY_MGMT_FT_PSK:
3924 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
3925 break;
3926 case WPA_KEY_MGMT_FT_IEEE8021X:
3927 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
3928 break;
3929 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
3930 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384);
3931 break;
3932 #endif /* CONFIG_IEEE80211R */
3933 default:
3934 wpa_printf(MSG_ERROR, "PASN: Invalid AKMP=0x%x", akmp);
3935 return -1;
3936 }
3937 pos += RSN_SELECTOR_LEN;
3938
3939 /* RSN Capabilities: PASN mandates both MFP capable and required */
3940 capab = WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR;
3941 WPA_PUT_LE16(pos, capab);
3942 pos += 2;
3943
3944 if (pmkid) {
3945 wpa_printf(MSG_DEBUG, "PASN: Adding PMKID");
3946
3947 WPA_PUT_LE16(pos, 1);
3948 pos += 2;
3949 os_memcpy(pos, pmkid, PMKID_LEN);
3950 pos += PMKID_LEN;
3951 } else {
3952 WPA_PUT_LE16(pos, 0);
3953 pos += 2;
3954 }
3955
3956 /* Group addressed management is not allowed */
3957 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
3958
3959 return 0;
3960 }
3961
3962
3963 /*
3964 * wpa_pasn_add_parameter_ie - Add PASN Parameters IE for PASN authentication
3965 * @buf: Buffer in which the IE will be added
3966 * @pasn_group: Finite Cyclic Group ID for PASN authentication
3967 * @wrapped_data_format: Format of the data in the Wrapped Data IE
3968 * @pubkey: A buffer holding the local public key. Can be NULL
3969 * @compressed: In case pubkey is included, indicates if the public key is
3970 * compressed (only x coordinate is included) or not (both x and y
3971 * coordinates are included)
3972 * @comeback: A buffer holding the comeback token. Can be NULL
3973 * @after: If comeback is set, defined the comeback time in seconds. -1 to not
3974 * include the Comeback After field (frames from non-AP STA).
3975 */
wpa_pasn_add_parameter_ie(struct wpabuf * buf,u16 pasn_group,u8 wrapped_data_format,const struct wpabuf * pubkey,bool compressed,const struct wpabuf * comeback,int after)3976 void wpa_pasn_add_parameter_ie(struct wpabuf *buf, u16 pasn_group,
3977 u8 wrapped_data_format,
3978 const struct wpabuf *pubkey, bool compressed,
3979 const struct wpabuf *comeback, int after)
3980 {
3981 struct pasn_parameter_ie *params;
3982
3983 wpa_printf(MSG_DEBUG, "PASN: Add PASN Parameters element");
3984
3985 params = wpabuf_put(buf, sizeof(*params));
3986
3987 params->id = WLAN_EID_EXTENSION;
3988 params->len = sizeof(*params) - 2;
3989 params->id_ext = WLAN_EID_EXT_PASN_PARAMS;
3990 params->control = 0;
3991 params->wrapped_data_format = wrapped_data_format;
3992
3993 if (comeback) {
3994 wpa_printf(MSG_DEBUG, "PASN: Adding comeback data");
3995
3996 /*
3997 * 2 octets for the 'after' field + 1 octet for the length +
3998 * actual cookie data
3999 */
4000 if (after >= 0)
4001 params->len += 2;
4002 params->len += 1 + wpabuf_len(comeback);
4003 params->control |= WPA_PASN_CTRL_COMEBACK_INFO_PRESENT;
4004
4005 if (after >= 0)
4006 wpabuf_put_le16(buf, after);
4007 wpabuf_put_u8(buf, wpabuf_len(comeback));
4008 wpabuf_put_buf(buf, comeback);
4009 }
4010
4011 if (pubkey) {
4012 wpa_printf(MSG_DEBUG,
4013 "PASN: Adding public key and group ID %u",
4014 pasn_group);
4015
4016 /*
4017 * 2 octets for the finite cyclic group + 2 octets public key
4018 * length + 1 octet for the compressed/uncompressed indication +
4019 * the actual key.
4020 */
4021 params->len += 2 + 1 + 1 + wpabuf_len(pubkey);
4022 params->control |= WPA_PASN_CTRL_GROUP_AND_KEY_PRESENT;
4023
4024 wpabuf_put_le16(buf, pasn_group);
4025
4026 /*
4027 * The first octet indicates whether the public key is
4028 * compressed, as defined in RFC 5480 section 2.2.
4029 */
4030 wpabuf_put_u8(buf, wpabuf_len(pubkey) + 1);
4031 wpabuf_put_u8(buf, compressed ? WPA_PASN_PUBKEY_COMPRESSED_0 :
4032 WPA_PASN_PUBKEY_UNCOMPRESSED);
4033
4034 wpabuf_put_buf(buf, pubkey);
4035 }
4036 }
4037
4038 /*
4039 * wpa_pasn_add_wrapped_data - Add a Wrapped Data IE to PASN Authentication
4040 * frame. If needed, the Wrapped Data IE would be fragmented.
4041 *
4042 * @buf: Buffer in which the IE will be added
4043 * @wrapped_data_buf: Buffer holding the wrapped data
4044 */
wpa_pasn_add_wrapped_data(struct wpabuf * buf,struct wpabuf * wrapped_data_buf)4045 int wpa_pasn_add_wrapped_data(struct wpabuf *buf,
4046 struct wpabuf *wrapped_data_buf)
4047 {
4048 const u8 *data;
4049 size_t data_len;
4050 u8 len;
4051
4052 if (!wrapped_data_buf)
4053 return 0;
4054
4055 wpa_printf(MSG_DEBUG, "PASN: Add wrapped data");
4056
4057 data = wpabuf_head_u8(wrapped_data_buf);
4058 data_len = wpabuf_len(wrapped_data_buf);
4059
4060 /* nothing to add */
4061 if (!data_len)
4062 return 0;
4063
4064 if (data_len <= 254)
4065 len = 1 + data_len;
4066 else
4067 len = 255;
4068
4069 if (wpabuf_tailroom(buf) < 3 + data_len)
4070 return -1;
4071
4072 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
4073 wpabuf_put_u8(buf, len);
4074 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
4075 wpabuf_put_data(buf, data, len - 1);
4076
4077 data += len - 1;
4078 data_len -= len - 1;
4079
4080 while (data_len) {
4081 if (wpabuf_tailroom(buf) < 1 + data_len)
4082 return -1;
4083 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
4084 len = data_len > 255 ? 255 : data_len;
4085 wpabuf_put_u8(buf, len);
4086 wpabuf_put_data(buf, data, len);
4087 data += len;
4088 data_len -= len;
4089 }
4090
4091 return 0;
4092 }
4093
4094
4095 /*
4096 * wpa_pasn_validate_rsne - Validate PSAN specific data of RSNE
4097 * @data: Parsed representation of an RSNE
4098 * Returns -1 for invalid data; otherwise 0
4099 */
wpa_pasn_validate_rsne(const struct wpa_ie_data * data)4100 int wpa_pasn_validate_rsne(const struct wpa_ie_data *data)
4101 {
4102 u16 capab = WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR;
4103
4104 if (data->proto != WPA_PROTO_RSN)
4105 return -1;
4106
4107 if ((data->capabilities & capab) != capab) {
4108 wpa_printf(MSG_DEBUG, "PASN: Invalid RSNE capabilities");
4109 return -1;
4110 }
4111
4112 if (!data->has_group || data->group_cipher != WPA_CIPHER_GTK_NOT_USED) {
4113 wpa_printf(MSG_DEBUG, "PASN: Invalid group data cipher");
4114 return -1;
4115 }
4116
4117 if (!data->has_pairwise || !data->pairwise_cipher ||
4118 (data->pairwise_cipher & (data->pairwise_cipher - 1))) {
4119 wpa_printf(MSG_DEBUG, "PASN: No valid pairwise suite");
4120 return -1;
4121 }
4122
4123 switch (data->key_mgmt) {
4124 #ifdef CONFIG_SAE
4125 case WPA_KEY_MGMT_SAE:
4126 case WPA_KEY_MGMT_SAE_EXT_KEY:
4127 /* fall through */
4128 #endif /* CONFIG_SAE */
4129 #ifdef CONFIG_FILS
4130 case WPA_KEY_MGMT_FILS_SHA256:
4131 case WPA_KEY_MGMT_FILS_SHA384:
4132 /* fall through */
4133 #endif /* CONFIG_FILS */
4134 #ifdef CONFIG_IEEE80211R
4135 case WPA_KEY_MGMT_FT_PSK:
4136 case WPA_KEY_MGMT_FT_IEEE8021X:
4137 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
4138 /* fall through */
4139 #endif /* CONFIG_IEEE80211R */
4140 case WPA_KEY_MGMT_PASN:
4141 break;
4142 default:
4143 wpa_printf(MSG_ERROR, "PASN: invalid key_mgmt: 0x%0x",
4144 data->key_mgmt);
4145 return -1;
4146 }
4147
4148 if (data->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED) {
4149 wpa_printf(MSG_DEBUG, "PASN: Invalid group mgmt cipher");
4150 return -1;
4151 }
4152
4153 if (data->num_pmkid > 1) {
4154 wpa_printf(MSG_DEBUG, "PASN: Invalid number of PMKIDs");
4155 return -1;
4156 }
4157
4158 return 0;
4159 }
4160
4161
4162 /*
4163 * wpa_pasn_parse_parameter_ie - Validates PASN Parameters IE
4164 * @data: Pointer to the PASN Parameters IE (starting with the EID).
4165 * @len: Length of the data in the PASN Parameters IE
4166 * @from_ap: Whether this was received from an AP
4167 * @pasn_params: On successful return would hold the parsed PASN parameters.
4168 * Returns: -1 for invalid data; otherwise 0
4169 *
4170 * Note: On successful return, the pointers in &pasn_params point to the data in
4171 * the IE and are not locally allocated (so they should not be freed etc.).
4172 */
wpa_pasn_parse_parameter_ie(const u8 * data,u8 len,bool from_ap,struct wpa_pasn_params_data * pasn_params)4173 int wpa_pasn_parse_parameter_ie(const u8 *data, u8 len, bool from_ap,
4174 struct wpa_pasn_params_data *pasn_params)
4175 {
4176 struct pasn_parameter_ie *params = (struct pasn_parameter_ie *) data;
4177 const u8 *pos = (const u8 *) (params + 1);
4178
4179 if (!pasn_params) {
4180 wpa_printf(MSG_DEBUG, "PASN: Invalid params");
4181 return -1;
4182 }
4183
4184 if (!params || ((size_t) (params->len + 2) < sizeof(*params)) ||
4185 len < sizeof(*params) || params->len + 2 != len) {
4186 wpa_printf(MSG_DEBUG,
4187 "PASN: Invalid parameters IE. len=(%u, %u)",
4188 params ? params->len : 0, len);
4189 return -1;
4190 }
4191
4192 os_memset(pasn_params, 0, sizeof(*pasn_params));
4193
4194 switch (params->wrapped_data_format) {
4195 case WPA_PASN_WRAPPED_DATA_NO:
4196 case WPA_PASN_WRAPPED_DATA_SAE:
4197 case WPA_PASN_WRAPPED_DATA_FILS_SK:
4198 case WPA_PASN_WRAPPED_DATA_FT:
4199 break;
4200 default:
4201 wpa_printf(MSG_DEBUG, "PASN: Invalid wrapped data format");
4202 return -1;
4203 }
4204
4205 pasn_params->wrapped_data_format = params->wrapped_data_format;
4206
4207 len -= sizeof(*params);
4208
4209 if (params->control & WPA_PASN_CTRL_COMEBACK_INFO_PRESENT) {
4210 if (from_ap) {
4211 if (len < 2) {
4212 wpa_printf(MSG_DEBUG,
4213 "PASN: Invalid Parameters IE: Truncated Comeback After");
4214 return -1;
4215 }
4216 pasn_params->after = WPA_GET_LE16(pos);
4217 pos += 2;
4218 len -= 2;
4219 }
4220
4221 if (len < 1 || len < 1 + *pos) {
4222 wpa_printf(MSG_DEBUG,
4223 "PASN: Invalid Parameters IE: comeback len");
4224 return -1;
4225 }
4226
4227 pasn_params->comeback_len = *pos++;
4228 len--;
4229 pasn_params->comeback = pos;
4230 len -= pasn_params->comeback_len;
4231 pos += pasn_params->comeback_len;
4232 }
4233
4234 if (params->control & WPA_PASN_CTRL_GROUP_AND_KEY_PRESENT) {
4235 if (len < 3 || len < 3 + pos[2]) {
4236 wpa_printf(MSG_DEBUG,
4237 "PASN: Invalid Parameters IE: group and key");
4238 return -1;
4239 }
4240
4241 pasn_params->group = WPA_GET_LE16(pos);
4242 pos += 2;
4243 len -= 2;
4244 pasn_params->pubkey_len = *pos++;
4245 len--;
4246 pasn_params->pubkey = pos;
4247 len -= pasn_params->pubkey_len;
4248 pos += pasn_params->pubkey_len;
4249 }
4250
4251 if (len) {
4252 wpa_printf(MSG_DEBUG,
4253 "PASN: Invalid Parameters IE. Bytes left=%u", len);
4254 return -1;
4255 }
4256
4257 return 0;
4258 }
4259
4260
wpa_pasn_add_rsnxe(struct wpabuf * buf,u16 capab)4261 void wpa_pasn_add_rsnxe(struct wpabuf *buf, u16 capab)
4262 {
4263 size_t flen;
4264
4265 flen = (capab & 0xff00) ? 2 : 1;
4266 if (!capab)
4267 return; /* no supported extended RSN capabilities */
4268 if (wpabuf_tailroom(buf) < 2 + flen)
4269 return;
4270 capab |= flen - 1; /* bit 0-3 = Field length (n - 1) */
4271
4272 wpabuf_put_u8(buf, WLAN_EID_RSNX);
4273 wpabuf_put_u8(buf, flen);
4274 wpabuf_put_u8(buf, capab & 0x00ff);
4275 capab >>= 8;
4276 if (capab)
4277 wpabuf_put_u8(buf, capab);
4278 }
4279
4280
4281 /*
4282 * wpa_pasn_add_extra_ies - Add protocol specific IEs in Authentication
4283 * frame for PASN.
4284 *
4285 * @buf: Buffer in which the elements will be added
4286 * @extra_ies: Protocol specific elements to add
4287 * @len: Length of the elements
4288 * Returns: 0 on success, -1 on failure
4289 */
4290
wpa_pasn_add_extra_ies(struct wpabuf * buf,const u8 * extra_ies,size_t len)4291 int wpa_pasn_add_extra_ies(struct wpabuf *buf, const u8 *extra_ies, size_t len)
4292 {
4293 if (!len || !extra_ies || !buf)
4294 return 0;
4295
4296 if (wpabuf_tailroom(buf) < sizeof(len))
4297 return -1;
4298
4299 wpabuf_put_data(buf, extra_ies, len);
4300 return 0;
4301 }
4302
4303 #endif /* CONFIG_PASN */
4304
4305
rsn_set_snonce_cookie(u8 * snonce)4306 void rsn_set_snonce_cookie(u8 *snonce)
4307 {
4308 u8 *pos;
4309
4310 pos = snonce + WPA_NONCE_LEN - 6;
4311 WPA_PUT_BE24(pos, OUI_WFA);
4312 pos += 3;
4313 WPA_PUT_BE24(pos, 0x000029);
4314 }
4315
4316
rsn_is_snonce_cookie(const u8 * snonce)4317 bool rsn_is_snonce_cookie(const u8 *snonce)
4318 {
4319 const u8 *pos;
4320
4321 pos = snonce + WPA_NONCE_LEN - 6;
4322 return WPA_GET_BE24(pos) == OUI_WFA &&
4323 WPA_GET_BE24(pos + 3) == 0x000029;
4324 }
4325